GEF
http_gethttp_get(url: str) → Optional[bytes]
+Basic HTTP wrapper for GET request. Return the body of the page if HTTP code is OK, otherwise return None.
+update_gefupdate_gef(argv: List[str]) → int
+Try to update gef to the latest version pushed on GitHub main branch. Return 0 on success, 1 on failure.
reset_all_cachesreset_all_caches() → None
+Free all caches. If an object is cached, it will have a callable attribute cache_clear which will be invoked to purge the function cache.
resetreset() → None
+highlight_texthighlight_text(text: str) → str
+Highlight text using gef.ui.highlight_table { match -> color } settings.
If RegEx is enabled it will create a match group around all items in the gef.ui.highlight_table and wrap the specified color in the gef.ui.highlight_table around those matches.
If RegEx is disabled, split by ANSI codes and 'colorify' each match found within the specified string.
+gef_printgef_print(*args: str, end='\n', sep=' ', **kwargs: Any) → None
+Wrapper around print(), using string buffering feature.
+bufferizebufferize(f: Callable) → Callable
+Store the content to be printed for a function in memory, and flush it on function exit.
+p8p8(
+ x: int,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → bytes
+Pack one byte respecting the current architecture endianness.
+p16p16(
+ x: int,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → bytes
+Pack one word respecting the current architecture endianness.
+p32p32(
+ x: int,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → bytes
+Pack one dword respecting the current architecture endianness.
+p64p64(
+ x: int,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → bytes
+Pack one qword respecting the current architecture endianness.
+u8u8(
+ x: bytes,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → int
+Unpack one byte respecting the current architecture endianness.
+u16u16(
+ x: bytes,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → int
+Unpack one word respecting the current architecture endianness.
+u32u32(
+ x: bytes,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → int
+Unpack one dword respecting the current architecture endianness.
+u64u64(
+ x: bytes,
+ s: bool = False,
+ e: Optional[ForwardRef('Endianness')] = None
+) → int
+Unpack one qword respecting the current architecture endianness.
+is_ascii_stringis_ascii_string(address: int) → bool
+Helper function to determine if the buffer pointed by address is an ASCII string (in GDB)
is_aliveis_alive() → bool
+Check if GDB is running.
+calling_functioncalling_function() → Optional[str]
+Return the name of the calling function
+only_if_gdb_runningonly_if_gdb_running(f: Callable) → Callable
+Decorator wrapper to check if GDB is running.
+only_if_gdb_target_localonly_if_gdb_target_local(f: Callable) → Callable
+Decorator wrapper to check if GDB is running locally (target not remote).
+deprecateddeprecated(solution: str = '') → Callable
+Decorator to add a warning when a command is obsolete and will be removed.
+experimental_featureexperimental_feature(f: Callable) → Callable
+Decorator to add a warning when a feature is experimental.
+only_if_events_supportedonly_if_events_supported(event_type: str) → Callable
+Checks if GDB supports events without crashing.
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+wrapped_fwrapped_f(*args: Any, **kwargs: Any) → Any
+FakeExitFakeExit(*args: Any, **kwargs: Any) → NoReturn
+parse_argumentsparse_arguments(
+ required_arguments: Dict[Union[str, Tuple[str, str]], Any],
+ optional_arguments: Dict[Union[str, Tuple[str, str]], Any]
+) → Callable
+Argument parsing decorator.
+search_for_main_arenasearch_for_main_arena() → int
+search_for_main_arena is DEPRECATED and will be removed in the future.
+ Use GefHeapManager.find_main_arena_addr()
get_libc_versionget_libc_version() → Tuple[int, ...]
+get_libc_version is DEPRECATED and will be removed in the future.
+ Use GefLibcManager.find_libc_version()
titlifytitlify(
+ text: str,
+ color: Optional[str] = None,
+ msg_color: Optional[str] = None
+) → str
+Print a centered title.
+dbgdbg(msg: str) → None
+errerr(msg: str) → None
+warnwarn(msg: str) → None
+okok(msg: str) → None
+infoinfo(msg: str) → None
+push_context_messagepush_context_message(level: str, message: str) → None
+Push the message to be displayed the next time the context is invoked.
+show_last_exceptionshow_last_exception() → None
+Display the last Python exception.
+gef_pystringgef_pystring(x: bytes) → str
+Returns a sanitized version as string of the bytes list given in input.
+gef_pybytesgef_pybytes(x: str) → bytes
+Returns an immutable bytes list from the string given as input.
+style_bytestyle_byte(b: int, color: bool = True) → str
+hexdumphexdump(
+ source: ByteString,
+ length: int = 16,
+ separator: str = '.',
+ show_raw: bool = False,
+ show_symbol: bool = True,
+ base: int = 0
+) → str
+Return the hexdump of src argument. @param source MUST be of type bytes or bytearray @param length is the length of items per line @param separator is the default character to use if one byte is not printable @param show_raw if True, do not add the line nor the text translation @param base is the start address of the block being hexdump @return a string with the hexdump
is_debugis_debug() → bool
+Check if debug mode is enabled.
+buffer_outputbuffer_output() → bool
+Check if output should be buffered until command completion.
+hide_contexthide_context() → bool
+Helper function to hide the context pane.
+unhide_contextunhide_context() → bool
+Helper function to unhide the context pane.
+enable_redirect_outputenable_redirect_output(to_file: str = '/dev/null') → None
+Redirect all GDB output to to_file parameter. By default, to_file redirects to /dev/null.
disable_redirect_outputdisable_redirect_output() → None
+Disable the output redirection, if any.
+gef_makedirsgef_makedirs(path: str, mode: int = 493) → Path
+Recursive mkdir() creation. If successful, return the absolute path of the directory created.
+gdb_disassemblegdb_disassemble(
+ start_pc: int,
+ **kwargs: int
+) → Generator[__main__.Instruction, NoneType, NoneType]
+Disassemble instructions from start_pc (Integer). Accepts the following named
parameters:
+end_pc (Integer) only instructions whose start address fall in the interval from start_pc to end_pc are returned. count (Integer) list at most this many disassembled instructions If end_pc and count are not provided, the function will behave as if count=1. Return an iterator of Instruction objects gdb_get_nth_previous_instruction_addressgdb_get_nth_previous_instruction_address(addr: int, n: int) → Optional[int]
+Return the address (Integer) of the n-th instruction before addr.
gdb_get_nth_next_instruction_addressgdb_get_nth_next_instruction_address(addr: int, n: int) → int
+Return the address of the n-th instruction after addr.
+ gdb_get_nth_next_instruction_address is DEPRECATED and will be removed in the future.
+ Use gef_instruction_n().address
gef_instruction_ngef_instruction_n(addr: int, n: int) → Instruction
+Return the n-th instruction after addr as an Instruction object. Note that n is treated as an positive index, starting from 0 (current instruction address)
gef_get_instruction_atgef_get_instruction_at(addr: int) → Instruction
+Return the full Instruction found at the specified address.
+gef_current_instructiongef_current_instruction(addr: int) → Instruction
+Return the current instruction as an Instruction object.
+gef_next_instructiongef_next_instruction(addr: int) → Instruction
+Return the next instruction as an Instruction object.
+gef_disassemblegef_disassemble(
+ addr: int,
+ nb_insn: int,
+ nb_prev: int = 0
+) → Generator[__main__.Instruction, NoneType, NoneType]
+Disassemble nb_insn instructions after addr and nb_prev before addr. Return an iterator of Instruction objects.
gef_execute_externalgef_execute_external(
+ command: Sequence[str],
+ as_list: bool = False,
+ **kwargs: Any
+) → Union[str, List[str]]
+Execute an external command and return the result.
+gef_execute_gdb_scriptgef_execute_gdb_script(commands: str) → None
+Execute the parameter source as GDB command. This is done by writing commands to a temporary file, which is then executed via GDB source command. The tempfile is then deleted.
checksecchecksec(filename: str) → Dict[str, bool]
+checksec is DEPRECATED and will be removed in the future.
+ Use Elf(fname).checksec()
get_entry_pointget_entry_point() → Optional[int]
+Return the binary entry point.
+ get_entry_point is DEPRECATED and will be removed in the future.
+ Use gef.binary.entry_point instead
is_pieis_pie(fpath: str) → bool
+is_big_endianis_big_endian() → bool
+is_big_endian is DEPRECATED and will be removed in the future.
+ Prefer gef.arch.endianness == Endianness.BIG_ENDIAN
is_little_endianis_little_endian() → bool
+is_little_endian is DEPRECATED and will be removed in the future.
+ gef.arch.endianness == Endianness.LITTLE_ENDIAN
flags_to_humanflags_to_human(reg_value: int, value_table: Dict[int, str]) → str
+Return a human readable string showing the flag states.
+register_architectureregister_architecture(
+ cls: Type[ForwardRef('Architecture')]
+) → Type[ForwardRef('Architecture')]
+register_architecture is DEPRECATED and will be removed in the future.
+ Using the decorator register_architecture is unecessary
copy_to_clipboardcopy_to_clipboard(data: bytes) → None
+Helper function to submit data to the clipboard
+use_stdtypeuse_stdtype() → str
+use_default_typeuse_default_type() → str
+use_golang_typeuse_golang_type() → str
+use_rust_typeuse_rust_type() → str
+to_unsigned_longto_unsigned_long(v: gdb.Value) → int
+Cast a gdb.Value to unsigned long.
+get_path_from_info_procget_path_from_info_proc() → Optional[str]
+get_osget_os() → str
+get_os is DEPRECATED and will be removed in the future.
+ Use gef.session.os
get_filepathget_filepath() → Optional[str]
+Return the local absolute path of the file currently debugged.
+get_function_lengthget_function_length(sym: str) → int
+Attempt to get the length of the raw bytes of a function.
+process_lookup_addressprocess_lookup_address(address: int) → Optional[__main__.Section]
+Look up for an address in memory. Return an Address object if found, None otherwise.
+xorxor(data: ByteString, key: str) → bytearray
+Return data xor-ed with key.
is_hexis_hex(pattern: str) → bool
+Return whether provided string is a hexadecimal value.
+continue_handlercontinue_handler(_: 'gdb.ContinueEvent') → None
+GDB event handler for new object continue cases.
+hook_stop_handlerhook_stop_handler(_: 'gdb.StopEvent') → None
+GDB event handler for stop cases.
+new_objfile_handlernew_objfile_handler(evt: Optional[ForwardRef('gdb.NewObjFileEvent')]) → None
+GDB event handler for new object file cases.
+exit_handlerexit_handler(_: 'gdb.ExitedEvent') → None
+GDB event handler for exit cases.
+memchanged_handlermemchanged_handler(_: 'gdb.MemoryChangedEvent') → None
+GDB event handler for mem changes cases.
+regchanged_handlerregchanged_handler(_: 'gdb.RegisterChangedEvent') → None
+GDB event handler for reg changes cases.
+get_terminal_sizeget_terminal_size() → Tuple[int, int]
+Return the current terminal size.
+reset_architecturereset_architecture(arch: Optional[str] = None) → None
+Sets the current architecture. If an architecture is explicitly specified by parameter, try to use that one. If this fails, an OSError exception will occur. If no architecture is specified, then GEF will attempt to determine automatically based on the current ELF target. If this fails, an OSError exception will occur.
get_memory_alignmentget_memory_alignment(in_bits: bool = False) → int
+Try to determine the size of a pointer on this system. First, try to parse it out of the ELF header. Next, use the size of size_t. Finally, try the size of $pc. If in_bits is set to True, the result is returned in bits, otherwise in bytes.
+ get_memory_alignment is DEPRECATED and will be removed in the future.
+ Use gef.arch.ptrsize instead
clear_screenclear_screen(tty: str = '') → None
+Clear the screen.
+format_addressformat_address(addr: int) → str
+Format the address according to its size.
+format_address_spacesformat_address_spaces(addr: int, left: bool = True) → str
+Format the address according to its size, but with spaces instead of zeroes.
+align_addressalign_address(address: int) → int
+Align the provided address to the process's native length.
+align_address_to_sizealign_address_to_size(address: int, align: int) → int
+Align the address to the given size.
+align_address_to_pagealign_address_to_page(address: int) → int
+Align the address to a page.
+parse_addressparse_address(address: str) → int
+Parse an address and return it as an Integer.
+is_in_x86_kernelis_in_x86_kernel(address: int) → bool
+is_remote_debugis_remote_debug() → bool
+"Return True is the current debugging session is running through GDB remote session.
+de_bruijnde_bruijn(alphabet: bytes, n: int) → Generator[str, NoneType, NoneType]
+De Bruijn sequence for alphabet and subsequences of length n (for compat. w/ pwnlib).
+generate_cyclic_patterngenerate_cyclic_pattern(length: int, cycle: int = 4) → bytearray
+Create a length byte bytearray of a de Bruijn cyclic pattern.
safe_parse_and_evalsafe_parse_and_eval(value: str) → Optional[ForwardRef('gdb.Value')]
+GEF wrapper for gdb.parse_and_eval(): this function returns None instead of raising gdb.error if the eval failed.
+gef_conveniencegef_convenience(value: Union[str, bytes]) → str
+Defines a new convenience value.
+parse_string_rangeparse_string_range(s: str) → Iterator[int]
+Parses an address range (e.g. 0x400000-0x401000)
+gef_get_pie_breakpointgef_get_pie_breakpoint(num: int) → PieVirtualBreakpoint
+gef_get_pie_breakpoint is DEPRECATED and will be removed in the future.
+ Use gef.session.pie_breakpoints[num]
endian_strendian_str() → str
+endian_str is DEPRECATED and will be removed in the future.
+ Use str(gef.arch.endianness) instead
get_gef_settingget_gef_setting(name: str) → Any
+get_gef_setting is DEPRECATED and will be removed in the future.
+ Use gef.config[key]
set_gef_settingset_gef_setting(name: str, value: Any) → None
+set_gef_setting is DEPRECATED and will be removed in the future.
+ Use gef.config[key] = value
gef_getpagesizegef_getpagesize() → int
+gef_getpagesize is DEPRECATED and will be removed in the future.
+ Use gef.session.pagesize
gef_read_canarygef_read_canary() → Optional[Tuple[int, int]]
+gef_read_canary is DEPRECATED and will be removed in the future.
+ Use gef.session.canary
get_pidget_pid() → int
+get_pid is DEPRECATED and will be removed in the future.
+ Use gef.session.pid
get_filenameget_filename() → str
+get_filename is DEPRECATED and will be removed in the future.
+ Use gef.session.file.name
get_glibc_arenaget_glibc_arena() → Optional[__main__.GlibcArena]
+get_glibc_arena is DEPRECATED and will be removed in the future.
+ Use gef.heap.main_arena
get_registerget_register(regname) → Optional[int]
+get_register is DEPRECATED and will be removed in the future.
+ Use gef.arch.register(regname)
get_process_mapsget_process_maps() → List[__main__.Section]
+get_process_maps is DEPRECATED and will be removed in the future.
+ Use gef.memory.maps
set_archset_arch(arch: Optional[str] = None, _: Optional[str] = None) → None
+set_arch is DEPRECATED and will be removed in the future.
+ Use reset_architecture
register_external_context_paneregister_external_context_pane(
+ pane_name: str,
+ display_pane_function: Callable[[], NoneType],
+ pane_title_function: Callable[[], Optional[str]],
+ condition: Optional[Callable[[], bool]] = None
+) → None
+Registering function for new GEF Context View. pane_name: a string that has no spaces (used in settings) display_pane_function: a function that uses gef_print() to print strings pane_title_function: a function that returns a string or None, which will be displayed as the title. If None, no title line is displayed. condition: an optional callback: if not None, the callback will be executed first. If it returns true, then only the pane title and content will displayed. Otherwise, it's simply skipped.
+Example usage for a simple text to show when we hit a syscall: def only_syscall(): return gef_current_instruction(gef.arch.pc).is_syscall() def display_pane(): gef_print("Wow, I am a context pane!") def pane_title(): return "example:pane" register_external_context_pane("example_pane", display_pane, pane_title, only_syscall)
+register_external_commandregister_external_command(
+ cls: Type[ForwardRef('GenericCommand')]
+) → Type[ForwardRef('GenericCommand')]
+Registering function for new GEF (sub-)command to GDB.
+ register_external_command is DEPRECATED and will be removed in the future.
+ Use register(), and inherit from GenericCommand instead
register_commandregister_command(
+ cls: Type[ForwardRef('GenericCommand')]
+) → Type[ForwardRef('GenericCommand')]
+Decorator for registering new GEF (sub-)command to GDB.
+ register_command is DEPRECATED and will be removed in the future.
+ Use register(), and inherit from GenericCommand instead
register_priority_commandregister_priority_command(
+ cls: Type[ForwardRef('GenericCommand')]
+) → Type[ForwardRef('GenericCommand')]
+Decorator for registering new command with priority, meaning that it must loaded before the other generic commands.
+ register_priority_command is DEPRECATED and will be removed in the future.
registerregister(
+ cls: Union[Type[ForwardRef('GenericCommand')], Type[ForwardRef('GenericFunction')]]
+) → Union[Type[ForwardRef('GenericCommand')], Type[ForwardRef('GenericFunction')]]
+register_functionregister_function(
+ cls: Type[ForwardRef('GenericFunction')]
+) → Type[ForwardRef('GenericFunction')]
+Decorator for registering a new convenience function to GDB.
+ register_function is DEPRECATED and will be removed in the future.
AARCH64Determine the size of pointer from the current CPU mode
+AARCH64.canary_addresscanary_address() → int
+AARCH64.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+AARCH64.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+AARCH64.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → int
+AARCH64.is_aarch32is_aarch32() → bool
+Determine if the CPU is currently in AARCH32 mode from runtime.
+AARCH64.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+AARCH64.is_callis_call(insn: __main__.Instruction) → bool
+AARCH64.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+AARCH64.is_retis_ret(insn: __main__.Instruction) → bool
+AARCH64.is_thumbis_thumb() → bool
+Determine if the machine is currently in THUMB mode.
+AARCH64.is_thumb32is_thumb32() → bool
+Determine if the CPU is currently in THUMB32 mode from runtime.
+AARCH64.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+AARCH64.registerregister(name: str) → int
+AARCH64.reset_cachesreset_caches() → None
+AARCH64.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ARMARM.canary_addresscanary_address() → int
+ARM.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+ARM.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+ARM.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → int
+ARM.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+ARM.is_callis_call(insn: __main__.Instruction) → bool
+ARM.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+ARM.is_retis_ret(insn: __main__.Instruction) → bool
+ARM.is_thumbis_thumb() → bool
+Determine if the machine is currently in THUMB mode.
+ARM.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+ARM.registerregister(name: str) → int
+ARM.reset_cachesreset_caches() → None
+ARM.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ASLRCommandView/modify the ASLR setting of GDB. By default, GDB will disable ASLR when it starts the process. (i.e. not attached). This command allows to change that setting.
+ASLRCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ASLRCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ASLRCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ASLRCommand.do_invokedo_invoke(argv: List[str]) → None
+ASLRCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ASLRCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ASLRCommand.invokeinvoke(args: str, from_tty: bool) → None
+ASLRCommand.post_loadpost_load() → None
+ASLRCommand.pre_loadpre_load() → None
+ASLRCommand.usageusage() → None
+AddressGEF representation of memory addresses.
+Address.__init____init__(**kwargs: Any) → None
+Address.dereferencedereference() → Optional[int]
+Address.is_in_heap_segmentis_in_heap_segment() → bool
+Address.is_in_stack_segmentis_in_stack_segment() → bool
+Address.is_in_text_segmentis_in_text_segment() → bool
+AliasesAddCommandCommand to add aliases.
+AliasesAddCommand.__init____init__() → None
+Return the list of settings for this command.
+AliasesAddCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
AliasesAddCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
AliasesAddCommand.do_invokedo_invoke(argv: List[str]) → None
+AliasesAddCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
AliasesAddCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
AliasesAddCommand.invokeinvoke(args: str, from_tty: bool) → None
+AliasesAddCommand.post_loadpost_load() → None
+AliasesAddCommand.pre_loadpre_load() → None
+AliasesAddCommand.usageusage() → None
+AliasesCommandBase command to add, remove, or list aliases.
+AliasesCommand.__init____init__() → None
+Return the list of settings for this command.
+AliasesCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
AliasesCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
AliasesCommand.do_invokedo_invoke(_: List[str]) → None
+AliasesCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
AliasesCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
AliasesCommand.invokeinvoke(args: str, from_tty: bool) → None
+AliasesCommand.post_loadpost_load() → None
+AliasesCommand.pre_loadpre_load() → None
+AliasesCommand.usageusage() → None
+AliasesListCommandCommand to list aliases.
+AliasesListCommand.__init____init__() → None
+Return the list of settings for this command.
+AliasesListCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
AliasesListCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
AliasesListCommand.do_invokedo_invoke(_: List[str]) → None
+AliasesListCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
AliasesListCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
AliasesListCommand.invokeinvoke(args: str, from_tty: bool) → None
+AliasesListCommand.post_loadpost_load() → None
+AliasesListCommand.pre_loadpre_load() → None
+AliasesListCommand.usageusage() → None
+AliasesRmCommandCommand to remove aliases.
+AliasesRmCommand.__init____init__() → None
+Return the list of settings for this command.
+AliasesRmCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
AliasesRmCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
AliasesRmCommand.do_invokedo_invoke(argv: List[str]) → None
+AliasesRmCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
AliasesRmCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
AliasesRmCommand.invokeinvoke(args: str, from_tty: bool) → None
+AliasesRmCommand.post_loadpost_load() → None
+AliasesRmCommand.pre_loadpre_load() → None
+AliasesRmCommand.usageusage() → None
+ArchitectureGeneric metaclass for the architecture supported by GEF.
+Architecture.canary_addresscanary_address() → int
+Architecture.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+Architecture.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+Architecture.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+Architecture.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+Architecture.is_callis_call(insn: __main__.Instruction) → bool
+Architecture.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+Architecture.is_retis_ret(insn: __main__.Instruction) → bool
+Architecture.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+Architecture.registerregister(name: str) → int
+Architecture.reset_cachesreset_caches() → None
+Architecture.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ArchitectureBaseClass decorator for declaring an architecture to GEF.
+BssBaseFunctionReturn the current bss base address plus the given offset.
+BssBaseFunction.__init____init__() → None
+BssBaseFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+BssBaseFunction.do_invokedo_invoke(args: List) → int
+BssBaseFunction.invokeinvoke(*args: Any) → int
+CanaryCommandShows the canary value of the current process.
+CanaryCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+CanaryCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
CanaryCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
CanaryCommand.do_invokedo_invoke(argv: List[str]) → None
+CanaryCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
CanaryCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
CanaryCommand.invokeinvoke(args: str, from_tty: bool) → None
+CanaryCommand.post_loadpost_load() → None
+CanaryCommand.pre_loadpre_load() → None
+CanaryCommand.usageusage() → None
+ChangeFdCommandChangeFdCommand: redirect file descriptor during runtime.
+ChangeFdCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ChangeFdCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ChangeFdCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ChangeFdCommand.do_invokedo_invoke(argv: List[str]) → None
+ChangeFdCommand.get_fd_from_resultget_fd_from_result(res: str) → int
+ChangeFdCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ChangeFdCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ChangeFdCommand.invokeinvoke(args: str, from_tty: bool) → None
+ChangeFdCommand.post_loadpost_load() → None
+ChangeFdCommand.pre_loadpre_load() → None
+ChangeFdCommand.usageusage() → None
+ChangePermissionBreakpointWhen hit, this temporary breakpoint will restore the original code, and position $pc correctly.
+ChangePermissionBreakpoint.__init____init__(loc: str, code: ByteString, pc: int) → None
+ChangePermissionBreakpoint.stopstop() → bool
+ChecksecCommandChecksec the security properties of the current executable or passed as argument. The command checks for the following protections: +- PIE +- NX +- RelRO +- Glibc Stack Canaries +- Fortify Source
+ChecksecCommand.__init____init__() → None
+Return the list of settings for this command.
+ChecksecCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ChecksecCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ChecksecCommand.do_invokedo_invoke(argv: List[str]) → None
+ChecksecCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ChecksecCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ChecksecCommand.invokeinvoke(args: str, from_tty: bool) → None
+ChecksecCommand.post_loadpost_load() → None
+ChecksecCommand.pre_loadpre_load() → None
+ChecksecCommand.print_security_propertiesprint_security_properties(filename: str) → None
+ChecksecCommand.usageusage() → None
+ColorUsed to colorify terminal output.
+Color.blinkifyblinkify(msg: str) → str
+Color.blueifyblueify(msg: str) → str
+Color.boldifyboldify(msg: str) → str
+Color.colorifycolorify(text: str, attrs: str) → str
+Color text according to the given attributes.
+Color.cyanifycyanify(msg: str) → str
+Color.grayifygrayify(msg: str) → str
+Color.greenifygreenify(msg: str) → str
+Color.highlightifyhighlightify(msg: str) → str
+Color.light_grayifylight_grayify(msg: str) → str
+Color.pinkifypinkify(msg: str) → str
+Color.redifyredify(msg: str) → str
+Color.underlinifyunderlinify(msg: str) → str
+Color.yellowifyyellowify(msg: str) → str
+ContextCommandDisplays a comprehensive and modular summary of runtime context. Unless setting enable is set to False, this command will be spawned automatically every time GDB hits a breakpoint, a watchpoint, or any kind of interrupt. By default, it will show panes that contain the register states, the stack, and the disassembly code around $pc.
ContextCommand.__init____init__() → None
+Return the list of settings for this command.
+ContextCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ContextCommand.addr_has_breakpointaddr_has_breakpoint(address: int, bp_locations: List[str]) → bool
+ContextCommand.context_additional_informationcontext_additional_information() → None
+ContextCommand.context_argscontext_args() → None
+ContextCommand.context_codecontext_code() → None
+ContextCommand.context_memorycontext_memory() → None
+ContextCommand.context_regscontext_regs() → None
+ContextCommand.context_sourcecontext_source() → None
+ContextCommand.context_stackcontext_stack() → None
+ContextCommand.context_threadscontext_threads() → None
+ContextCommand.context_titlecontext_title(m: Optional[str]) → None
+ContextCommand.context_tracecontext_trace() → None
+ContextCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ContextCommand.do_invokedo_invoke(argv: List[str]) → None
+ContextCommand.empty_extra_messagesempty_extra_messages(_) → None
+ContextCommand.get_pc_context_infoget_pc_context_info(pc: int, line: str) → str
+ContextCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ContextCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ContextCommand.invokeinvoke(args: str, from_tty: bool) → None
+ContextCommand.line_has_breakpointline_has_breakpoint(
+ file_name: str,
+ line_number: int,
+ bp_locations: List[str]
+) → bool
+ContextCommand.post_loadpost_load() → None
+ContextCommand.pre_loadpre_load() → None
+ContextCommand.print_arguments_from_symbolprint_arguments_from_symbol(function_name: str, symbol: 'gdb.Symbol') → None
+If symbols were found, parse them and print the argument adequately.
+ContextCommand.print_guessed_argumentsprint_guessed_arguments(function_name: str) → None
+When no symbol, read the current basic block and look for "interesting" instructions.
+ContextCommand.show_legendshow_legend() → None
+ContextCommand.update_registersupdate_registers(_) → None
+ContextCommand.usageusage() → None
+DereferenceCommandDereference recursively from an address and display information. This acts like WinDBG dps command.
DereferenceCommand.__init____init__() → None
+Return the list of settings for this command.
+DereferenceCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
DereferenceCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
DereferenceCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+DereferenceCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
DereferenceCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
DereferenceCommand.invokeinvoke(args: str, from_tty: bool) → None
+DereferenceCommand.post_loadpost_load() → None
+DereferenceCommand.pprint_dereferencedpprint_dereferenced(addr: int, idx: int, base_offset: int = 0) → str
+DereferenceCommand.pre_loadpre_load() → None
+DereferenceCommand.usageusage() → None
+DetailRegistersCommandDisplay full details on one, many or all registers value from current architecture.
+DetailRegistersCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+DetailRegistersCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
DetailRegistersCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
DetailRegistersCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+DetailRegistersCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
DetailRegistersCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
DetailRegistersCommand.invokeinvoke(args: str, from_tty: bool) → None
+DetailRegistersCommand.post_loadpost_load() → None
+DetailRegistersCommand.pre_loadpre_load() → None
+DetailRegistersCommand.usageusage() → None
+DisableContextOutputContextElfBasic ELF parsing. Ref: +- http://www.skyfree.org/linux/references/ELF_Format.pdf +- https://refspecs.linuxfoundation.org/elf/elfspec_ppc.pdf +- https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html
+Elf.__init____init__(path: Union[str, pathlib.Path]) → None
+Instantiate an ELF object. A valid ELF must be provided, or an exception will be thrown.
+Check the security property of the ELF binary. The following properties are: +- Canary +- NX +- PIE +- Fortify +- Partial/Full RelRO. Return a dict() with the different keys mentioned above, and the boolean associated whether the protection was found.
+Elf.is_validis_valid(path: pathlib.Path) → bool
+Elf.readread(size: int) → bytes
+Elf.read_and_unpackread_and_unpack(fmt: str) → Tuple[Any, ...]
+Elf.seekseek(off: int) → None
+ElfInfoCommandDisplay a limited subset of ELF header information. If no argument is provided, the command will show information about the current ELF being debugged.
+ElfInfoCommand.__init____init__() → None
+Return the list of settings for this command.
+ElfInfoCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ElfInfoCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ElfInfoCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+ElfInfoCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ElfInfoCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ElfInfoCommand.invokeinvoke(args: str, from_tty: bool) → None
+ElfInfoCommand.post_loadpost_load() → None
+ElfInfoCommand.pre_loadpre_load() → None
+ElfInfoCommand.usageusage() → None
+EndiannessAn enumeration.
+EntryBreakBreakpointBreakpoint used internally to stop execution at the most convenient entry point.
+EntryBreakBreakpoint.__init____init__(location: str) → None
+EntryBreakBreakpoint.stopstop() → bool
+EntryPointBreakCommandTries to find best entry point and sets a temporary breakpoint on it. The command will test for well-known symbols for entry points, such as main, _main, __libc_start_main, etc. defined by the setting entrypoint_symbols.
EntryPointBreakCommand.__init____init__() → None
+Return the list of settings for this command.
+EntryPointBreakCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
EntryPointBreakCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
EntryPointBreakCommand.do_invokedo_invoke(argv: List[str]) → None
+EntryPointBreakCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
EntryPointBreakCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
EntryPointBreakCommand.invokeinvoke(args: str, from_tty: bool) → None
+EntryPointBreakCommand.post_loadpost_load() → None
+EntryPointBreakCommand.pre_loadpre_load() → None
+EntryPointBreakCommand.set_init_tbreakset_init_tbreak(addr: int) → EntryBreakBreakpoint
+EntryPointBreakCommand.set_init_tbreak_pieset_init_tbreak_pie(addr: int, argv: List[str]) → EntryBreakBreakpoint
+EntryPointBreakCommand.usageusage() → None
+ExternalStructureManagerExternalStructureManager.__init____init__() → None
+ExternalStructureManager.clear_cachesclear_caches() → None
+FileFormatFileFormat.__init____init__(path: Union[str, pathlib.Path]) → None
+FileFormat.is_validis_valid(path: pathlib.Path) → bool
+FileFormatSectionFlagsCommandEdit flags in a human friendly way.
+FlagsCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+FlagsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
FlagsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
FlagsCommand.do_invokedo_invoke(argv: List[str]) → None
+FlagsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
FlagsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
FlagsCommand.invokeinvoke(args: str, from_tty: bool) → None
+FlagsCommand.post_loadpost_load() → None
+FlagsCommand.pre_loadpre_load() → None
+FlagsCommand.usageusage() → None
+FormatStringBreakpointInspect stack for format string.
+FormatStringBreakpoint.__init____init__(spec: str, num_args: int) → None
+FormatStringBreakpoint.stopstop() → bool
+FormatStringSearchCommandExploitable format-string helper: this command will set up specific breakpoints at well-known dangerous functions (printf, snprintf, etc.), and check if the pointer holding the format string is writable, and therefore susceptible to format string attacks if an attacker can control its content.
+FormatStringSearchCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+FormatStringSearchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
FormatStringSearchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
FormatStringSearchCommand.do_invokedo_invoke(_: List[str]) → None
+FormatStringSearchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
FormatStringSearchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
FormatStringSearchCommand.invokeinvoke(args: str, from_tty: bool) → None
+FormatStringSearchCommand.post_loadpost_load() → None
+FormatStringSearchCommand.pre_loadpre_load() → None
+FormatStringSearchCommand.usageusage() → None
+GdbRemoveReadlineFinderGdbRemoveReadlineFinder.find_modulefind_module(fullname, path=None)
+GdbRemoveReadlineFinder.load_moduleload_module(fullname)
+GefThe GEF root class, which serves as a entrypoint for all the debugging session attributes (architecture, memory, settings, etc.).
+Gef.__init____init__() → None
+Gef.reinitialize_managersreinitialize_managers() → None
+Reinitialize the managers. Avoid calling this function directly, using pi reset() is preferred
Gef.reset_cachesreset_caches() → None
+Recursively clean the cache of all the managers. Avoid calling this function directly, using reset-cache is preferred
Gef.setupsetup() → None
+Setup initialize the runtime setup, which may require for the gef to be not None.
GefAliasSimple aliasing wrapper because GDB doesn't do what it should.
+GefAlias.__init____init__(
+ alias: str,
+ command: str,
+ completer_class: int = 0,
+ command_class: int = -1
+) → None
+GefAlias.invokeinvoke(args: Any, from_tty: bool) → None
+GefAlias.lookup_commandlookup_command(cmd: str) → Optional[Tuple[str, __main__.GenericCommand]]
+GefCommandGEF main command: view all new commands by typing gef.
GefCommand.__init____init__() → None
+GefCommand.add_context_paneadd_context_pane(
+ pane_name: str,
+ display_pane_function: Callable,
+ pane_title_function: Callable,
+ condition: Optional[Callable]
+) → None
+Add a new context pane to ContextCommand.
+GefCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefCommand.loadload() → None
+Load all the commands and functions defined by GEF into GDB.
+GefCommand.load_extra_pluginsload_extra_plugins() → int
+GefCommand.setupsetup() → None
+GefCommand.show_bannershow_banner() → None
+GefConfigCommandGEF configuration sub-command This command will help set/view GEF settings for the current debugging session. It is possible to make those changes permanent by running gef save (refer to this command help), and/or restore previously saved settings by running gef restore (refer help).
GefConfigCommand.__init____init__() → None
+GefConfigCommand.completecomplete(text: str, word: str) → List[str]
+GefConfigCommand.invokeinvoke(args: str, from_tty: bool) → None
+GefConfigCommand.print_settingprint_setting(plugin_name: str, verbose: bool = False) → None
+GefConfigCommand.print_settingsprint_settings() → None
+GefConfigCommand.set_settingset_setting(argv: Tuple[str, Any]) → None
+GefFunctionsCommandList the convenience functions provided by GEF.
+GefFunctionsCommand.__init____init__() → None
+Return the list of settings for this command.
+GefFunctionsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GefFunctionsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GefFunctionsCommand.do_invokedo_invoke(argv) → None
+GefFunctionsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GefFunctionsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GefFunctionsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GefFunctionsCommand.post_loadpost_load() → None
+GefFunctionsCommand.pre_loadpre_load() → None
+GefFunctionsCommand.usageusage() → None
+GefHeapManagerClass managing session heap.
+GefHeapManager.__init____init__() → None
+GefHeapManager.csize2tidxcsize2tidx(size: int) → int
+GefHeapManager.malloc_align_addressmalloc_align_address(address: int) → int
+Align addresses according to glibc's MALLOC_ALIGNMENT. See also Issue #689 on Github
+GefHeapManager.reset_cachesreset_caches() → None
+GefHeapManager.tidx2sizetidx2size(idx: int) → int
+GefHelpCommandGEF help sub-command.
+GefHelpCommand.__init____init__() → None
+GefHelpCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefInstallExtraScriptCommandgef install command: installs one or more scripts from the gef-extras script repo. Note that the command doesn't check for external dependencies the script(s) might require.
GefInstallExtraScriptCommand.__init____init__() → None
+GefInstallExtraScriptCommand.invokeinvoke(argv: str, from_tty: bool) → None
+GefLibcManagerClass managing everything libc-related (except heap).
+GefLibcManager.__init____init__() → None
+GefLibcManager.reset_cachesreset_caches() → None
+Reset the LRU-cached attributes
+GefManagerGefManager.reset_cachesreset_caches() → None
+Reset the LRU-cached attributes
+GefMemoryManagerClass that manages memory access for gef.
+GefMemoryManager.__init____init__() → None
+GefMemoryManager.readread(addr: int, length: int = 16) → bytes
+Return a length long byte array with the copy of the process memory at addr.
GefMemoryManager.read_ascii_stringread_ascii_string(address: int) → Optional[str]
+Read an ASCII string from memory
+GefMemoryManager.read_cstringread_cstring(
+ address: int,
+ max_length: int = 50,
+ encoding: Optional[str] = None
+) → str
+Return a C-string read from memory.
+GefMemoryManager.read_integerread_integer(addr: int) → int
+Return an integer read from memory.
+GefMemoryManager.reset_cachesreset_caches() → None
+GefMemoryManager.writewrite(address: int, buffer: ByteString, length: Optional[int] = None) → None
+Write buffer at address address.
GefMissingCommandGEF missing sub-command Display the GEF commands that could not be loaded, along with the reason of why they could not be loaded.
+GefMissingCommand.__init____init__() → None
+GefMissingCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefRemoteSessionManagerClass for managing remote sessions with GEF. It will create a temporary environment designed to clone the remote one.
+GefRemoteSessionManager.__init____init__(
+ host: str,
+ port: int,
+ pid: int = -1,
+ qemu: Optional[pathlib.Path] = None
+) → None
+Return a tuple of the canary address and value, read from the canonical location if supported by the architecture. Otherwise, read from the auxiliary vector.
+Path to the file being debugged as seen by the remote endpoint.
+Local path to the file being debugged.
+Return a tuple of the initial canary address and value, read from the auxiliary vector.
+Return the current OS.
+Get the system page size
+Return the PID of the target process.
+GefRemoteSessionManager.closeclose() → None
+GefRemoteSessionManager.connectconnect(pid: int) → bool
+Connect to remote target. If in extended mode, also attach to the given PID.
+GefRemoteSessionManager.in_qemu_userin_qemu_user() → bool
+GefRemoteSessionManager.remote_objfile_event_handlerremote_objfile_event_handler(evt: 'gdb.NewObjFileEvent') → None
+GefRemoteSessionManager.reset_cachesreset_caches() → None
+GefRemoteSessionManager.setupsetup() → bool
+GefRemoteSessionManager.syncsync(src: str, dst: Optional[str] = None) → bool
+Copy the src into the temporary chroot. If dst is provided, that path will be used instead of src.
GefRestoreCommandGEF restore sub-command. Loads settings from file '~/.gef.rc' and apply them to the configuration of GEF.
+GefRestoreCommand.__init____init__() → None
+GefRestoreCommand.invokeinvoke(args: str, from_tty: bool) → None
+GefRestoreCommand.reloadreload(quiet: bool)
+GefRunCommandOverride GDB run commands with the context from GEF. Simple wrapper for GDB run command to use arguments set from gef set args.
GefRunCommand.__init____init__() → None
+GefRunCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefSaveCommandGEF save sub-command. Saves the current configuration of GEF to disk (by default in file '~/.gef.rc').
+GefSaveCommand.__init____init__() → None
+GefSaveCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefSessionManagerClass managing the runtime properties of GEF.
+GefSessionManager.__init____init__() → None
+Return a tuple of the canary address and value, read from the canonical location if supported by the architecture. Otherwise, read from the auxiliary vector.
+Return a Path object of the target process.
+Returns the Path to the procfs entry for the memory mapping.
+Return a tuple of the initial canary address and value, read from the auxiliary vector.
+Return the current OS.
+Get the system page size
+Return the PID of the target process.
+Returns the path to the process's root directory.
+GefSessionManager.reset_cachesreset_caches() → None
+GefSetCommandOverride GDB set commands with the context from GEF.
+GefSetCommand.__init____init__() → None
+GefSetCommand.invokeinvoke(args: Any, from_tty: bool) → None
+GefSettingBasic class for storing gef settings as objects
+GefSetting.__init____init__(
+ value: Any,
+ cls: Optional[type] = None,
+ description: Optional[str] = None,
+ hooks: Optional[Dict[str, Callable]] = None
+) → None
+GefSettingsManagerGefSettings acts as a dict where the global settings are stored and can be read, written or deleted as any other dict. For instance, to read a specific command setting: gef.config[mycommand.mysetting]
GefSettingsManager.raw_entryraw_entry(name: str) → GefSetting
+GefThemeCommandCustomize GEF appearance.
+GefThemeCommand.__init____init__() → None
+Return the list of settings for this command.
+GefThemeCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GefThemeCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GefThemeCommand.do_invokedo_invoke(args: List[str]) → None
+GefThemeCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GefThemeCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GefThemeCommand.invokeinvoke(args: str, from_tty: bool) → None
+GefThemeCommand.post_loadpost_load() → None
+GefThemeCommand.pre_loadpre_load() → None
+GefThemeCommand.usageusage() → None
+GefTmuxSetupSetup a confortable tmux debugging environment.
+GefTmuxSetup.__init____init__() → None
+GefTmuxSetup.invokeinvoke(args: Any, from_tty: bool) → None
+GefTmuxSetup.screen_setupscreen_setup() → None
+Hackish equivalent of the tmux_setup() function for screen.
+GefTmuxSetup.tmux_setuptmux_setup() → None
+Prepare the tmux environment by vertically splitting the current pane, and forcing the context to be redirected there.
+GefUiManagerClass managing UI settings.
+GefUiManager.__init____init__() → None
+GefUiManager.reset_cachesreset_caches() → None
+Reset the LRU-cached attributes
+GenericArchitectureGenericArchitecture.canary_addresscanary_address() → int
+GenericArchitecture.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+GenericArchitecture.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+GenericArchitecture.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+GenericArchitecture.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+GenericArchitecture.is_callis_call(insn: __main__.Instruction) → bool
+GenericArchitecture.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+GenericArchitecture.is_retis_ret(insn: __main__.Instruction) → bool
+GenericArchitecture.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+GenericArchitecture.registerregister(name: str) → int
+GenericArchitecture.reset_cachesreset_caches() → None
+GenericArchitecture.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
GenericCommandThis is an abstract class for invoking commands, should not be instantiated.
+GenericCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+GenericCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GenericCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GenericCommand.do_invokedo_invoke(argv: List[str]) → None
+GenericCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GenericCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GenericCommand.invokeinvoke(args: str, from_tty: bool) → None
+GenericCommand.post_loadpost_load() → None
+GenericCommand.pre_loadpre_load() → None
+GenericCommand.usageusage() → None
+GenericFunctionThis is an abstract class for invoking convenience functions, should not be instantiated.
+GenericFunction.__init____init__() → None
+GenericFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+GenericFunction.do_invokedo_invoke(args: Any) → int
+GenericFunction.invokeinvoke(*args: Any) → int
+GlibcArenaGlibc arena class
+GlibcArena.__init____init__(addr: str) → None
+GlibcArena.binbin(i: int) → Tuple[int, int]
+GlibcArena.bin_atbin_at(i) → int
+GlibcArena.fastbinfastbin(i: int) → Optional[ForwardRef('GlibcFastChunk')]
+Return head chunk in fastbinsY[i].
+GlibcArena.get_heap_for_ptrget_heap_for_ptr(ptr: int) → int
+Find the corresponding heap for a given pointer (int). See https://github.com/bminor/glibc/blob/glibc-2.34/malloc/arena.c#L129
+GlibcArena.get_heap_info_listget_heap_info_list() → Optional[List[__main__.GlibcHeapInfo]]
+GlibcArena.heap_addrheap_addr(allow_unaligned: bool = False) → Optional[int]
+GlibcArena.is_main_arenais_main_arena() → bool
+GlibcArena.malloc_state_tmalloc_state_t() → Type[_ctypes.Structure]
+GlibcArena.resetreset()
+GlibcArena.verifyverify(addr: int) → bool
+Verify that the address matches a possible valid GlibcArena
+GlibcChunkGlibc chunk class. The default behavior (from_base=False) is to interpret the data starting at the memory address pointed to as the chunk data. Setting from_base to True instead treats that data as the chunk header. Ref: https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/.
+GlibcChunk.__init____init__(
+ addr: int,
+ from_base: bool = False,
+ allow_unaligned: bool = True
+) → None
+GlibcChunk.get_next_chunkget_next_chunk(allow_unaligned: bool = False) → GlibcChunk
+GlibcChunk.get_next_chunk_addrget_next_chunk_addr() → int
+GlibcChunk.get_prev_chunk_sizeget_prev_chunk_size() → int
+GlibcChunk.get_usable_sizeget_usable_size() → int
+GlibcChunk.has_m_bithas_m_bit() → bool
+GlibcChunk.has_n_bithas_n_bit() → bool
+GlibcChunk.has_p_bithas_p_bit() → bool
+GlibcChunk.is_usedis_used() → bool
+Check if the current block is used by: +- checking the M bit is true +- or checking that next chunk PREV_INUSE flag is true
+GlibcChunk.malloc_chunk_tmalloc_chunk_t() → Type[_ctypes.Structure]
+GlibcChunk.psprintpsprint() → str
+GlibcChunk.resetreset()
+GlibcFastChunkGlibcFastChunk.__init____init__(
+ addr: int,
+ from_base: bool = False,
+ allow_unaligned: bool = True
+) → None
+GlibcFastChunk.get_next_chunkget_next_chunk(allow_unaligned: bool = False) → GlibcChunk
+GlibcFastChunk.get_next_chunk_addrget_next_chunk_addr() → int
+GlibcFastChunk.get_prev_chunk_sizeget_prev_chunk_size() → int
+GlibcFastChunk.get_usable_sizeget_usable_size() → int
+GlibcFastChunk.has_m_bithas_m_bit() → bool
+GlibcFastChunk.has_n_bithas_n_bit() → bool
+GlibcFastChunk.has_p_bithas_p_bit() → bool
+GlibcFastChunk.is_usedis_used() → bool
+Check if the current block is used by: +- checking the M bit is true +- or checking that next chunk PREV_INUSE flag is true
+GlibcFastChunk.malloc_chunk_tmalloc_chunk_t() → Type[_ctypes.Structure]
+GlibcFastChunk.protect_ptrprotect_ptr(pos: int, pointer: int) → int
+https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L339
+GlibcFastChunk.psprintpsprint() → str
+GlibcFastChunk.resetreset()
+GlibcFastChunk.reveal_ptrreveal_ptr(pointer: int) → int
+https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L341
+GlibcHeapArenaCommandDisplay information on a heap chunk.
+GlibcHeapArenaCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+GlibcHeapArenaCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapArenaCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapArenaCommand.do_invokedo_invoke(_: List[str]) → None
+GlibcHeapArenaCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapArenaCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapArenaCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapArenaCommand.post_loadpost_load() → None
+GlibcHeapArenaCommand.pre_loadpre_load() → None
+GlibcHeapArenaCommand.usageusage() → None
+GlibcHeapBinsCommandDisplay information on the bins on an arena (default: main_arena). See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
+GlibcHeapBinsCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapBinsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapBinsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapBinsCommand.do_invokedo_invoke(argv: List[str]) → None
+GlibcHeapBinsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapBinsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapBinsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapBinsCommand.post_loadpost_load() → None
+GlibcHeapBinsCommand.pprint_binpprint_bin(arena_addr: str, index: int, _type: str = '') → int
+GlibcHeapBinsCommand.pre_loadpre_load() → None
+GlibcHeapBinsCommand.usageusage() → None
+GlibcHeapChunkCommandDisplay information on a heap chunk. See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
+GlibcHeapChunkCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapChunkCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapChunkCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapChunkCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapChunkCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapChunkCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapChunkCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapChunkCommand.post_loadpost_load() → None
+GlibcHeapChunkCommand.pre_loadpre_load() → None
+GlibcHeapChunkCommand.usageusage() → None
+GlibcHeapChunksCommandDisplay all heap chunks for the current arena. As an optional argument the base address of a different arena can be passed
+GlibcHeapChunksCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapChunksCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapChunksCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapChunksCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapChunksCommand.dump_chunks_arenadump_chunks_arena(
+ arena: __main__.GlibcArena,
+ print_arena: bool = False,
+ allow_unaligned: bool = False
+) → None
+GlibcHeapChunksCommand.dump_chunks_heapdump_chunks_heap(
+ start: int,
+ end: int,
+ arena: __main__.GlibcArena,
+ allow_unaligned: bool = False
+) → bool
+GlibcHeapChunksCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapChunksCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapChunksCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapChunksCommand.post_loadpost_load() → None
+GlibcHeapChunksCommand.pre_loadpre_load() → None
+GlibcHeapChunksCommand.usageusage() → None
+GlibcHeapCommandBase command to get information about the Glibc heap structure.
+GlibcHeapCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapCommand.do_invokedo_invoke(_: List[str]) → None
+GlibcHeapCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapCommand.post_loadpost_load() → None
+GlibcHeapCommand.pre_loadpre_load() → None
+GlibcHeapCommand.usageusage() → None
+GlibcHeapFastbinsYCommandDisplay information on the fastbinsY on an arena (default: main_arena). See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
+GlibcHeapFastbinsYCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapFastbinsYCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapFastbinsYCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapFastbinsYCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapFastbinsYCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapFastbinsYCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapFastbinsYCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapFastbinsYCommand.post_loadpost_load() → None
+GlibcHeapFastbinsYCommand.pre_loadpre_load() → None
+GlibcHeapFastbinsYCommand.usageusage() → None
+GlibcHeapInfoGlibc heap_info struct
+GlibcHeapInfo.__init____init__(addr: Union[str, int]) → None
+GlibcHeapInfo.heap_info_theap_info_t() → Type[_ctypes.Structure]
+GlibcHeapInfo.resetreset()
+GlibcHeapLargeBinsCommandConvenience command for viewing large bins.
+GlibcHeapLargeBinsCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapLargeBinsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapLargeBinsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapLargeBinsCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapLargeBinsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapLargeBinsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapLargeBinsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapLargeBinsCommand.post_loadpost_load() → None
+GlibcHeapLargeBinsCommand.pre_loadpre_load() → None
+GlibcHeapLargeBinsCommand.usageusage() → None
+GlibcHeapSetArenaCommandSet the address of the main_arena or the currently selected arena.
+GlibcHeapSetArenaCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapSetArenaCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapSetArenaCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapSetArenaCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapSetArenaCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapSetArenaCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapSetArenaCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapSetArenaCommand.post_loadpost_load() → None
+GlibcHeapSetArenaCommand.pre_loadpre_load() → None
+GlibcHeapSetArenaCommand.usageusage() → None
+GlibcHeapSmallBinsCommandConvenience command for viewing small bins.
+GlibcHeapSmallBinsCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapSmallBinsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapSmallBinsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapSmallBinsCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapSmallBinsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapSmallBinsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapSmallBinsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapSmallBinsCommand.post_loadpost_load() → None
+GlibcHeapSmallBinsCommand.pre_loadpre_load() → None
+GlibcHeapSmallBinsCommand.usageusage() → None
+GlibcHeapTcachebinsCommandDisplay information on the Tcachebins on an arena (default: main_arena). See https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc.
+GlibcHeapTcachebinsCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapTcachebinsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapTcachebinsCommand.check_thread_idscheck_thread_ids(tids: List[int]) → List[int]
+Return the subset of tids that are currently valid.
+GlibcHeapTcachebinsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapTcachebinsCommand.do_invokedo_invoke(argv: List[str]) → None
+GlibcHeapTcachebinsCommand.find_tcachefind_tcache() → int
+Return the location of the current thread's tcache.
+GlibcHeapTcachebinsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapTcachebinsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapTcachebinsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapTcachebinsCommand.post_loadpost_load() → None
+GlibcHeapTcachebinsCommand.pre_loadpre_load() → None
+GlibcHeapTcachebinsCommand.tcachebintcachebin(
+ tcache_base: int,
+ i: int
+) → Tuple[Optional[__main__.GlibcTcacheChunk], int]
+Return the head chunk in tcache[i] and the number of chunks in the bin.
+GlibcHeapTcachebinsCommand.usageusage() → None
+GlibcHeapUnsortedBinsCommandDisplay information on the Unsorted Bins of an arena (default: main_arena). See: https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1689.
+GlibcHeapUnsortedBinsCommand.__init____init__() → None
+Return the list of settings for this command.
+GlibcHeapUnsortedBinsCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GlibcHeapUnsortedBinsCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GlibcHeapUnsortedBinsCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+GlibcHeapUnsortedBinsCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GlibcHeapUnsortedBinsCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GlibcHeapUnsortedBinsCommand.invokeinvoke(args: str, from_tty: bool) → None
+GlibcHeapUnsortedBinsCommand.post_loadpost_load() → None
+GlibcHeapUnsortedBinsCommand.pre_loadpre_load() → None
+GlibcHeapUnsortedBinsCommand.usageusage() → None
+GlibcTcacheChunkGlibcTcacheChunk.__init____init__(
+ addr: int,
+ from_base: bool = False,
+ allow_unaligned: bool = True
+) → None
+GlibcTcacheChunk.get_next_chunkget_next_chunk(allow_unaligned: bool = False) → GlibcChunk
+GlibcTcacheChunk.get_next_chunk_addrget_next_chunk_addr() → int
+GlibcTcacheChunk.get_prev_chunk_sizeget_prev_chunk_size() → int
+GlibcTcacheChunk.get_usable_sizeget_usable_size() → int
+GlibcTcacheChunk.has_m_bithas_m_bit() → bool
+GlibcTcacheChunk.has_n_bithas_n_bit() → bool
+GlibcTcacheChunk.has_p_bithas_p_bit() → bool
+GlibcTcacheChunk.is_usedis_used() → bool
+Check if the current block is used by: +- checking the M bit is true +- or checking that next chunk PREV_INUSE flag is true
+GlibcTcacheChunk.malloc_chunk_tmalloc_chunk_t() → Type[_ctypes.Structure]
+GlibcTcacheChunk.protect_ptrprotect_ptr(pos: int, pointer: int) → int
+https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L339
+GlibcTcacheChunk.psprintpsprint() → str
+GlibcTcacheChunk.resetreset()
+GlibcTcacheChunk.reveal_ptrreveal_ptr(pointer: int) → int
+https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L341
+GotBaseFunctionReturn the current GOT base address plus the given offset.
+GotBaseFunction.__init____init__() → None
+GotBaseFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+GotBaseFunction.do_invokedo_invoke(args: List) → int
+GotBaseFunction.invokeinvoke(*args: Any) → int
+GotCommandDisplay current status of the got inside the process.
+GotCommand.__init____init__()
+Return the list of settings for this command.
+GotCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
GotCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
GotCommand.do_invokedo_invoke(argv: List[str]) → None
+GotCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
GotCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
GotCommand.invokeinvoke(args: str, from_tty: bool) → None
+GotCommand.post_loadpost_load() → None
+GotCommand.pre_loadpre_load() → None
+GotCommand.usageusage() → None
+HeapAnalysisCommandHeap vulnerability analysis helper: this command aims to track dynamic heap allocation done through malloc()/free() to provide some insights on possible heap vulnerabilities. The following vulnerabilities are checked: +- NULL free +- Use-after-Free +- Double Free +- Heap overlap
+HeapAnalysisCommand.__init____init__() → None
+Return the list of settings for this command.
+HeapAnalysisCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HeapAnalysisCommand.cleanclean(_: 'gdb.Event') → None
+HeapAnalysisCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HeapAnalysisCommand.do_invokedo_invoke(argv: List[str]) → None
+HeapAnalysisCommand.dump_tracked_allocationsdump_tracked_allocations() → None
+HeapAnalysisCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HeapAnalysisCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HeapAnalysisCommand.invokeinvoke(args: str, from_tty: bool) → None
+HeapAnalysisCommand.post_loadpost_load() → None
+HeapAnalysisCommand.pre_loadpre_load() → None
+HeapAnalysisCommand.setupsetup() → None
+HeapAnalysisCommand.usageusage() → None
+HeapBaseFunctionReturn the current heap base address plus an optional offset.
+HeapBaseFunction.__init____init__() → None
+HeapBaseFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+HeapBaseFunction.do_invokedo_invoke(args: List) → int
+HeapBaseFunction.invokeinvoke(*args: Any) → int
+HexdumpByteCommandDisplay SIZE lines of hexdump as BYTE from the memory location pointed by ADDRESS.
+HexdumpByteCommand.__init____init__() → None
+Return the list of settings for this command.
+HexdumpByteCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HexdumpByteCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HexdumpByteCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+HexdumpByteCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HexdumpByteCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HexdumpByteCommand.invokeinvoke(args: str, from_tty: bool) → None
+HexdumpByteCommand.post_loadpost_load() → None
+HexdumpByteCommand.pre_loadpre_load() → None
+HexdumpByteCommand.usageusage() → None
+HexdumpCommandDisplay SIZE lines of hexdump from the memory location pointed by LOCATION.
+HexdumpCommand.__init____init__() → None
+Return the list of settings for this command.
+HexdumpCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HexdumpCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HexdumpCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+HexdumpCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HexdumpCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HexdumpCommand.invokeinvoke(args: str, from_tty: bool) → None
+HexdumpCommand.post_loadpost_load() → None
+HexdumpCommand.pre_loadpre_load() → None
+HexdumpCommand.usageusage() → None
+HexdumpDwordCommandDisplay SIZE lines of hexdump as DWORD from the memory location pointed by ADDRESS.
+HexdumpDwordCommand.__init____init__() → None
+Return the list of settings for this command.
+HexdumpDwordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HexdumpDwordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HexdumpDwordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+HexdumpDwordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HexdumpDwordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HexdumpDwordCommand.invokeinvoke(args: str, from_tty: bool) → None
+HexdumpDwordCommand.post_loadpost_load() → None
+HexdumpDwordCommand.pre_loadpre_load() → None
+HexdumpDwordCommand.usageusage() → None
+HexdumpQwordCommandDisplay SIZE lines of hexdump as QWORD from the memory location pointed by ADDRESS.
+HexdumpQwordCommand.__init____init__() → None
+Return the list of settings for this command.
+HexdumpQwordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HexdumpQwordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HexdumpQwordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+HexdumpQwordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HexdumpQwordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HexdumpQwordCommand.invokeinvoke(args: str, from_tty: bool) → None
+HexdumpQwordCommand.post_loadpost_load() → None
+HexdumpQwordCommand.pre_loadpre_load() → None
+HexdumpQwordCommand.usageusage() → None
+HexdumpWordCommandDisplay SIZE lines of hexdump as WORD from the memory location pointed by ADDRESS.
+HexdumpWordCommand.__init____init__() → None
+Return the list of settings for this command.
+HexdumpWordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HexdumpWordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HexdumpWordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+HexdumpWordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HexdumpWordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HexdumpWordCommand.invokeinvoke(args: str, from_tty: bool) → None
+HexdumpWordCommand.post_loadpost_load() → None
+HexdumpWordCommand.pre_loadpre_load() → None
+HexdumpWordCommand.usageusage() → None
+HighlightAddCommandAdd a match to the highlight table.
+HighlightAddCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+HighlightAddCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HighlightAddCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HighlightAddCommand.do_invokedo_invoke(argv: List[str]) → None
+HighlightAddCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HighlightAddCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HighlightAddCommand.invokeinvoke(args: str, from_tty: bool) → None
+HighlightAddCommand.post_loadpost_load() → None
+HighlightAddCommand.pre_loadpre_load() → None
+HighlightAddCommand.usageusage() → None
+HighlightClearCommandClear the highlight table, remove all matches.
+HighlightClearCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+HighlightClearCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HighlightClearCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HighlightClearCommand.do_invokedo_invoke(_: List[str]) → None
+HighlightClearCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HighlightClearCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HighlightClearCommand.invokeinvoke(args: str, from_tty: bool) → None
+HighlightClearCommand.post_loadpost_load() → None
+HighlightClearCommand.pre_loadpre_load() → None
+HighlightClearCommand.usageusage() → None
+HighlightCommandHighlight user-defined text matches in GEF output universally.
+HighlightCommand.__init____init__() → None
+Return the list of settings for this command.
+HighlightCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HighlightCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HighlightCommand.do_invokedo_invoke(_: List[str]) → None
+HighlightCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HighlightCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HighlightCommand.invokeinvoke(args: str, from_tty: bool) → None
+HighlightCommand.post_loadpost_load() → None
+HighlightCommand.pre_loadpre_load() → None
+HighlightCommand.usageusage() → None
+HighlightListCommandShow the current highlight table with matches to colors.
+HighlightListCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+HighlightListCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HighlightListCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HighlightListCommand.do_invokedo_invoke(_: List[str]) → None
+HighlightListCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HighlightListCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HighlightListCommand.invokeinvoke(args: str, from_tty: bool) → None
+HighlightListCommand.post_loadpost_load() → None
+HighlightListCommand.pre_loadpre_load() → None
+HighlightListCommand.print_highlight_tableprint_highlight_table() → None
+HighlightListCommand.usageusage() → None
+HighlightRemoveCommandRemove a match in the highlight table.
+HighlightRemoveCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+HighlightRemoveCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
HighlightRemoveCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
HighlightRemoveCommand.do_invokedo_invoke(argv: List[str]) → None
+HighlightRemoveCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
HighlightRemoveCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
HighlightRemoveCommand.invokeinvoke(args: str, from_tty: bool) → None
+HighlightRemoveCommand.post_loadpost_load() → None
+HighlightRemoveCommand.pre_loadpre_load() → None
+HighlightRemoveCommand.usageusage() → None
+InstructionGEF representation of a CPU instruction.
+Instruction.__init____init__(
+ address: int,
+ location: str,
+ mnemo: str,
+ operands: List[str],
+ opcodes: bytes
+) → None
+Instruction.is_validis_valid() → bool
+Instruction.nextnext() → Instruction
+Instruction.sizesize() → int
+MIPSMIPS.canary_addresscanary_address() → int
+MIPS.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+MIPS.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+MIPS.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+MIPS.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+MIPS.is_callis_call(insn: __main__.Instruction) → bool
+MIPS.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+MIPS.is_retis_ret(insn: __main__.Instruction) → bool
+MIPS.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+MIPS.registerregister(name: str) → int
+MIPS.reset_cachesreset_caches() → None
+MIPS.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
MIPS64MIPS64.canary_addresscanary_address() → int
+MIPS64.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+MIPS64.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+MIPS64.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+MIPS64.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+MIPS64.is_callis_call(insn: __main__.Instruction) → bool
+MIPS64.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+MIPS64.is_retis_ret(insn: __main__.Instruction) → bool
+MIPS64.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+MIPS64.registerregister(name: str) → int
+MIPS64.reset_cachesreset_caches() → None
+MIPS64.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+MemoryCommandAdd or remove address ranges to the memory view.
+MemoryCommand.__init____init__() → None
+Return the list of settings for this command.
+MemoryCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
MemoryCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
MemoryCommand.do_invokedo_invoke(argv: List[str]) → None
+MemoryCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
MemoryCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
MemoryCommand.invokeinvoke(args: str, from_tty: bool) → None
+MemoryCommand.post_loadpost_load() → None
+MemoryCommand.pre_loadpre_load() → None
+MemoryCommand.usageusage() → None
+MemoryUnwatchCommandRemoves address ranges to the memory view.
+MemoryUnwatchCommand.__init____init__() → None
+Return the list of settings for this command.
+MemoryUnwatchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
MemoryUnwatchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
MemoryUnwatchCommand.do_invokedo_invoke(argv: List[str]) → None
+MemoryUnwatchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
MemoryUnwatchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
MemoryUnwatchCommand.invokeinvoke(args: str, from_tty: bool) → None
+MemoryUnwatchCommand.post_loadpost_load() → None
+MemoryUnwatchCommand.pre_loadpre_load() → None
+MemoryUnwatchCommand.usageusage() → None
+MemoryWatchCommandAdds address ranges to the memory view.
+MemoryWatchCommand.__init____init__() → None
+Return the list of settings for this command.
+MemoryWatchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
MemoryWatchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
MemoryWatchCommand.do_invokedo_invoke(argv: List[str]) → None
+MemoryWatchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
MemoryWatchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
MemoryWatchCommand.invokeinvoke(args: str, from_tty: bool) → None
+MemoryWatchCommand.post_loadpost_load() → None
+MemoryWatchCommand.pre_loadpre_load() → None
+MemoryWatchCommand.usageusage() → None
+MemoryWatchListCommandLists all watchpoints to display in context layout.
+MemoryWatchListCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+MemoryWatchListCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
MemoryWatchListCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
MemoryWatchListCommand.do_invokedo_invoke(_: List[str]) → None
+MemoryWatchListCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
MemoryWatchListCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
MemoryWatchListCommand.invokeinvoke(args: str, from_tty: bool) → None
+MemoryWatchListCommand.post_loadpost_load() → None
+MemoryWatchListCommand.pre_loadpre_load() → None
+MemoryWatchListCommand.usageusage() → None
+MemoryWatchResetCommandRemoves all watchpoints.
+MemoryWatchResetCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+MemoryWatchResetCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
MemoryWatchResetCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
MemoryWatchResetCommand.do_invokedo_invoke(_: List[str]) → None
+MemoryWatchResetCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
MemoryWatchResetCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
MemoryWatchResetCommand.invokeinvoke(args: str, from_tty: bool) → None
+MemoryWatchResetCommand.post_loadpost_load() → None
+MemoryWatchResetCommand.pre_loadpre_load() → None
+MemoryWatchResetCommand.usageusage() → None
+NamedBreakpointBreakpoint which shows a specified name, when hit.
+NamedBreakpoint.__init____init__(location: str, name: str) → None
+NamedBreakpoint.stopstop() → bool
+NamedBreakpointCommandSets a breakpoint and assigns a name to it, which will be shown, when it's hit.
+NamedBreakpointCommand.__init____init__() → None
+Return the list of settings for this command.
+NamedBreakpointCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
NamedBreakpointCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
NamedBreakpointCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+NamedBreakpointCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
NamedBreakpointCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
NamedBreakpointCommand.invokeinvoke(args: str, from_tty: bool) → None
+NamedBreakpointCommand.post_loadpost_load() → None
+NamedBreakpointCommand.pre_loadpre_load() → None
+NamedBreakpointCommand.usageusage() → None
+NopCommandPatch the instruction(s) pointed by parameters with NOP. Note: this command is architecture aware.
+NopCommand.__init____init__() → None
+Return the list of settings for this command.
+NopCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
NopCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
NopCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+NopCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
NopCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
NopCommand.invokeinvoke(args: str, from_tty: bool) → None
+NopCommand.post_loadpost_load() → None
+NopCommand.pre_loadpre_load() → None
+NopCommand.usageusage() → None
+PCustomCommandDump user defined structure. This command attempts to reproduce WinDBG awesome dt command for GDB and allows to apply structures (from symbols or custom) directly to an address. Custom structures can be defined in pure Python using ctypes, and should be stored in a specific directory, whose path must be stored in the pcustom.struct_path configuration setting.
PCustomCommand.__init____init__() → None
+Return the list of settings for this command.
+PCustomCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PCustomCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PCustomCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PCustomCommand.explode_typeexplode_type(arg: str) → Tuple[str, str]
+PCustomCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PCustomCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PCustomCommand.invokeinvoke(args: str, from_tty: bool) → None
+PCustomCommand.post_loadpost_load() → None
+PCustomCommand.pre_loadpre_load() → None
+PCustomCommand.usageusage() → None
+PCustomEditCommandPCustom: edit the content of a given structure
+PCustomEditCommand.__init____init__() → None
+Return the list of settings for this command.
+PCustomEditCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PCustomEditCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PCustomEditCommand.do_invokedo_invoke(argv: List[str]) → None
+PCustomEditCommand.explode_typeexplode_type(arg: str) → Tuple[str, str]
+PCustomEditCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PCustomEditCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PCustomEditCommand.invokeinvoke(args: str, from_tty: bool) → None
+PCustomEditCommand.post_loadpost_load() → None
+PCustomEditCommand.pre_loadpre_load() → None
+PCustomEditCommand.usageusage() → None
+PCustomListCommandPCustom: list available structures
+PCustomListCommand.__init____init__() → None
+Return the list of settings for this command.
+PCustomListCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PCustomListCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PCustomListCommand.do_invokedo_invoke(_: List) → None
+Dump the list of all the structures and their respective.
+PCustomListCommand.explode_typeexplode_type(arg: str) → Tuple[str, str]
+PCustomListCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PCustomListCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PCustomListCommand.invokeinvoke(args: str, from_tty: bool) → None
+PCustomListCommand.post_loadpost_load() → None
+PCustomListCommand.pre_loadpre_load() → None
+PCustomListCommand.usageusage() → None
+PCustomShowCommandPCustom: show the content of a given structure
+PCustomShowCommand.__init____init__() → None
+Return the list of settings for this command.
+PCustomShowCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PCustomShowCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PCustomShowCommand.do_invokedo_invoke(argv: List[str]) → None
+PCustomShowCommand.explode_typeexplode_type(arg: str) → Tuple[str, str]
+PCustomShowCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PCustomShowCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PCustomShowCommand.invokeinvoke(args: str, from_tty: bool) → None
+PCustomShowCommand.post_loadpost_load() → None
+PCustomShowCommand.pre_loadpre_load() → None
+PCustomShowCommand.usageusage() → None
+PatchByteCommandWrite specified BYTE to the specified address.
+PatchByteCommand.__init____init__() → None
+Return the list of settings for this command.
+PatchByteCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchByteCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchByteCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatchByteCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchByteCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchByteCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchByteCommand.post_loadpost_load() → None
+PatchByteCommand.pre_loadpre_load() → None
+PatchByteCommand.usageusage() → None
+PatchCommandWrite specified values to the specified address.
+PatchCommand.__init____init__() → None
+Return the list of settings for this command.
+PatchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchCommand.post_loadpost_load() → None
+PatchCommand.pre_loadpre_load() → None
+PatchCommand.usageusage() → None
+PatchDwordCommandWrite specified DWORD to the specified address.
+PatchDwordCommand.__init____init__() → None
+Return the list of settings for this command.
+PatchDwordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchDwordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchDwordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatchDwordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchDwordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchDwordCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchDwordCommand.post_loadpost_load() → None
+PatchDwordCommand.pre_loadpre_load() → None
+PatchDwordCommand.usageusage() → None
+PatchQwordCommandWrite specified QWORD to the specified address.
+PatchQwordCommand.__init____init__() → None
+Return the list of settings for this command.
+PatchQwordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchQwordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchQwordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatchQwordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchQwordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchQwordCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchQwordCommand.post_loadpost_load() → None
+PatchQwordCommand.pre_loadpre_load() → None
+PatchQwordCommand.usageusage() → None
+PatchStringCommandWrite specified string to the specified memory location pointed by ADDRESS.
+PatchStringCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PatchStringCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchStringCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchStringCommand.do_invokedo_invoke(argv: List[str]) → None
+PatchStringCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchStringCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchStringCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchStringCommand.post_loadpost_load() → None
+PatchStringCommand.pre_loadpre_load() → None
+PatchStringCommand.usageusage() → None
+PatchWordCommandWrite specified WORD to the specified address.
+PatchWordCommand.__init____init__() → None
+Return the list of settings for this command.
+PatchWordCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatchWordCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatchWordCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatchWordCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatchWordCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatchWordCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatchWordCommand.post_loadpost_load() → None
+PatchWordCommand.pre_loadpre_load() → None
+PatchWordCommand.usageusage() → None
+PatternCommandGenerate or Search a De Bruijn Sequence of unique substrings of length N and a total length of LENGTH. The default value of N is set to match the currently loaded architecture.
+PatternCommand.__init____init__() → None
+Return the list of settings for this command.
+PatternCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatternCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatternCommand.do_invokedo_invoke(_: List[str]) → None
+PatternCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatternCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatternCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatternCommand.post_loadpost_load() → None
+PatternCommand.pre_loadpre_load() → None
+PatternCommand.usageusage() → None
+PatternCreateCommandGenerate a De Bruijn Sequence of unique substrings of length N and a total length of LENGTH. The default value of N is set to match the currently loaded architecture.
+PatternCreateCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PatternCreateCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatternCreateCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatternCreateCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatternCreateCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatternCreateCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatternCreateCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatternCreateCommand.post_loadpost_load() → None
+PatternCreateCommand.pre_loadpre_load() → None
+PatternCreateCommand.usageusage() → None
+PatternSearchCommandSearch a De Bruijn Sequence of unique substrings of length N and a maximum total length of MAX_LENGTH. The default value of N is set to match the currently loaded architecture. The PATTERN argument can be a GDB symbol (such as a register name), a string or a hexadecimal value
+PatternSearchCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PatternSearchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PatternSearchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PatternSearchCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PatternSearchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PatternSearchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PatternSearchCommand.invokeinvoke(args: str, from_tty: bool) → None
+PatternSearchCommand.post_loadpost_load() → None
+PatternSearchCommand.pre_loadpre_load() → None
+PatternSearchCommand.searchsearch(pattern: str, size: int, period: int) → None
+PatternSearchCommand.usageusage() → None
+PermissionGEF representation of Linux permission.
+PhdrPhdr.__init____init__(elf: __main__.Elf, off: int) → None
+PieAttachCommandDo attach with PIE breakpoint support.
+PieAttachCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieAttachCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieAttachCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieAttachCommand.do_invokedo_invoke(argv: List[str]) → None
+PieAttachCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieAttachCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieAttachCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieAttachCommand.post_loadpost_load() → None
+PieAttachCommand.pre_loadpre_load() → None
+PieAttachCommand.usageusage() → None
+PieBreakpointCommandSet a PIE breakpoint at an offset from the target binaries base address.
+PieBreakpointCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieBreakpointCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieBreakpointCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieBreakpointCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PieBreakpointCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieBreakpointCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieBreakpointCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieBreakpointCommand.post_loadpost_load() → None
+PieBreakpointCommand.pre_loadpre_load() → None
+PieBreakpointCommand.set_pie_breakpointset_pie_breakpoint(set_func: Callable[[int], str], addr: int) → None
+PieBreakpointCommand.usageusage() → None
+PieCommandPIE breakpoint support.
+PieCommand.__init____init__() → None
+Return the list of settings for this command.
+PieCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieCommand.do_invokedo_invoke(argv: List[str]) → None
+PieCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieCommand.post_loadpost_load() → None
+PieCommand.pre_loadpre_load() → None
+PieCommand.usageusage() → None
+PieDeleteCommandDelete a PIE breakpoint.
+PieDeleteCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieDeleteCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieDeleteCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieDeleteCommand.delete_bpdelete_bp(breakpoints: List[__main__.PieVirtualBreakpoint]) → None
+PieDeleteCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PieDeleteCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieDeleteCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieDeleteCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieDeleteCommand.post_loadpost_load() → None
+PieDeleteCommand.pre_loadpre_load() → None
+PieDeleteCommand.usageusage() → None
+PieInfoCommandDisplay breakpoint info.
+PieInfoCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieInfoCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieInfoCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieInfoCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PieInfoCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieInfoCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieInfoCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieInfoCommand.post_loadpost_load() → None
+PieInfoCommand.pre_loadpre_load() → None
+PieInfoCommand.usageusage() → None
+PieRemoteCommandAttach to a remote connection with PIE breakpoint support.
+PieRemoteCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieRemoteCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieRemoteCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieRemoteCommand.do_invokedo_invoke(argv: List[str]) → None
+PieRemoteCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieRemoteCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieRemoteCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieRemoteCommand.post_loadpost_load() → None
+PieRemoteCommand.pre_loadpre_load() → None
+PieRemoteCommand.usageusage() → None
+PieRunCommandRun process with PIE breakpoint support.
+PieRunCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+PieRunCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PieRunCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PieRunCommand.do_invokedo_invoke(argv: List[str]) → None
+PieRunCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PieRunCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PieRunCommand.invokeinvoke(args: str, from_tty: bool) → None
+PieRunCommand.post_loadpost_load() → None
+PieRunCommand.pre_loadpre_load() → None
+PieRunCommand.usageusage() → None
+PieVirtualBreakpointPIE virtual breakpoint (not real breakpoint).
+PieVirtualBreakpoint.__init____init__(set_func: Callable[[int], str], vbp_num: int, addr: int) → None
+PieVirtualBreakpoint.destroydestroy() → None
+PieVirtualBreakpoint.instantiateinstantiate(base: int) → None
+PowerPCPowerPC.canary_addresscanary_address() → int
+PowerPC.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+PowerPC.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+PowerPC.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+PowerPC.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+PowerPC.is_callis_call(insn: __main__.Instruction) → bool
+PowerPC.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+PowerPC.is_retis_ret(insn: __main__.Instruction) → bool
+PowerPC.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+PowerPC.registerregister(name: str) → int
+PowerPC.reset_cachesreset_caches() → None
+PowerPC.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
PowerPC64PowerPC64.canary_addresscanary_address() → int
+PowerPC64.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+PowerPC64.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+PowerPC64.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+PowerPC64.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+PowerPC64.is_callis_call(insn: __main__.Instruction) → bool
+PowerPC64.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+PowerPC64.is_retis_ret(insn: __main__.Instruction) → bool
+PowerPC64.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+PowerPC64.registerregister(name: str) → int
+PowerPC64.reset_cachesreset_caches() → None
+PowerPC64.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
PrintFormatCommandPrint bytes format in commonly used formats, such as literals in high level languages.
+PrintFormatCommand.__init____init__() → None
+Return the list of settings for this command.
+PrintFormatCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
PrintFormatCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
PrintFormatCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+PrintFormatCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
PrintFormatCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
PrintFormatCommand.invokeinvoke(args: str, from_tty: bool) → None
+PrintFormatCommand.post_loadpost_load() → None
+PrintFormatCommand.pre_loadpre_load() → None
+PrintFormatCommand.usageusage() → None
+ProcessListingCommandList and filter process. If a PATTERN is given as argument, results shown will be grepped by this pattern.
+ProcessListingCommand.__init____init__() → None
+Return the list of settings for this command.
+ProcessListingCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ProcessListingCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ProcessListingCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+ProcessListingCommand.get_processesget_processes() → Generator[Dict[str, str], NoneType, NoneType]
+ProcessListingCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ProcessListingCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ProcessListingCommand.invokeinvoke(args: str, from_tty: bool) → None
+ProcessListingCommand.post_loadpost_load() → None
+ProcessListingCommand.pre_loadpre_load() → None
+ProcessListingCommand.usageusage() → None
+ProcessStatusCommandExtends the info given by GDB info proc, by giving an exhaustive description of the process status (file descriptors, ancestor, descendants, etc.).
ProcessStatusCommand.__init____init__() → None
+Return the list of settings for this command.
+ProcessStatusCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ProcessStatusCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ProcessStatusCommand.do_invokedo_invoke(argv: List[str]) → None
+ProcessStatusCommand.get_children_pidsget_children_pids(pid: int) → List[int]
+ProcessStatusCommand.get_cmdline_ofget_cmdline_of(pid: int) → str
+ProcessStatusCommand.get_process_path_ofget_process_path_of(pid: int) → str
+ProcessStatusCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ProcessStatusCommand.get_state_ofget_state_of(pid: int) → Dict[str, str]
+ProcessStatusCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ProcessStatusCommand.invokeinvoke(args: str, from_tty: bool) → None
+ProcessStatusCommand.list_socketslist_sockets(pid: int) → List[int]
+ProcessStatusCommand.parse_ip_portparse_ip_port(addr: str) → Tuple[str, int]
+ProcessStatusCommand.post_loadpost_load() → None
+ProcessStatusCommand.pre_loadpre_load() → None
+ProcessStatusCommand.show_ancestorshow_ancestor() → None
+ProcessStatusCommand.show_connectionsshow_connections() → None
+ProcessStatusCommand.show_descendantsshow_descendants() → None
+ProcessStatusCommand.show_fdsshow_fds() → None
+ProcessStatusCommand.show_info_procshow_info_proc() → None
+ProcessStatusCommand.usageusage() → None
+RISCVRISCV.canary_addresscanary_address() → int
+RISCV.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+RISCV.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+RISCV.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+RISCV.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+RISCV.is_callis_call(insn: __main__.Instruction) → bool
+RISCV.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+RISCV.is_retis_ret(insn: __main__.Instruction) → bool
+RISCV.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+RISCV.registerregister(name: str) → int
+RISCV.reset_cachesreset_caches() → None
+RISCV.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
RedirectOutputContextRedirectOutputContext.__init____init__(to: str = '/dev/null') → None
+RemoteCommandGDB target remote command on steroids. This command will use the remote procfs to create a local copy of the execution environment, including the target binary and its libraries in the local temporary directory (the value by default is in gef.config.tempdir). Additionally, it will fetch all the /proc/PID/maps and loads all its information. If procfs is not available remotely, the command will likely fail. You can however still use the limited command provided by GDB target remote.
RemoteCommand.__init____init__() → None
+Return the list of settings for this command.
+RemoteCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
RemoteCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
RemoteCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+RemoteCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
RemoteCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
RemoteCommand.invokeinvoke(args: str, from_tty: bool) → None
+RemoteCommand.post_loadpost_load() → None
+RemoteCommand.pre_loadpre_load() → None
+RemoteCommand.usageusage() → None
+ResetCacheCommandReset cache of all stored data. This command is here for debugging and test purposes, GEF handles properly the cache reset under "normal" scenario.
+ResetCacheCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ResetCacheCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ResetCacheCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ResetCacheCommand.do_invokedo_invoke(_: List[str]) → None
+ResetCacheCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ResetCacheCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ResetCacheCommand.invokeinvoke(args: str, from_tty: bool) → None
+ResetCacheCommand.post_loadpost_load() → None
+ResetCacheCommand.pre_loadpre_load() → None
+ResetCacheCommand.usageusage() → None
+SPARCRefs: +- https://www.cse.scu.edu/~atkinson/teaching/sp05/259/sparc.pdf
+SPARC.canary_addresscanary_address() → int
+SPARC.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+SPARC.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+SPARC.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+SPARC.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+SPARC.is_callis_call(insn: __main__.Instruction) → bool
+SPARC.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+SPARC.is_retis_ret(insn: __main__.Instruction) → bool
+SPARC.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+SPARC.registerregister(name: str) → int
+SPARC.reset_cachesreset_caches() → None
+SPARC.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
SPARC64Refs: +- http://math-atlas.sourceforge.net/devel/assembly/abi_sysV_sparc.pdf +- https://cr.yp.to/2005-590/sparcv9.pdf
+SPARC64.canary_addresscanary_address() → int
+SPARC64.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+SPARC64.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+SPARC64.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+SPARC64.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+SPARC64.is_callis_call(insn: __main__.Instruction) → bool
+SPARC64.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+SPARC64.is_retis_ret(insn: __main__.Instruction) → bool
+SPARC64.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+SPARC64.registerregister(name: str) → int
+SPARC64.reset_cachesreset_caches() → None
+SPARC64.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ScanSectionCommandSearch for addresses that are located in a memory mapping (haystack) that belonging to another (needle).
+ScanSectionCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ScanSectionCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ScanSectionCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ScanSectionCommand.do_invokedo_invoke(argv: List[str]) → None
+ScanSectionCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ScanSectionCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ScanSectionCommand.invokeinvoke(args: str, from_tty: bool) → None
+ScanSectionCommand.post_loadpost_load() → None
+ScanSectionCommand.pre_loadpre_load() → None
+ScanSectionCommand.usageusage() → None
+SearchPatternCommandSearchPatternCommand: search a pattern in memory. If given an hex value (starting with 0x) the command will also try to look for upwards cross-references to this address.
+SearchPatternCommand.__init____init__() → None
+Return the list of settings for this command.
+SearchPatternCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
SearchPatternCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
SearchPatternCommand.do_invokedo_invoke(argv: List[str]) → None
+SearchPatternCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
SearchPatternCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
SearchPatternCommand.invokeinvoke(args: str, from_tty: bool) → None
+SearchPatternCommand.post_loadpost_load() → None
+SearchPatternCommand.pre_loadpre_load() → None
+SearchPatternCommand.print_locprint_loc(loc: Tuple[int, int, str]) → None
+SearchPatternCommand.print_sectionprint_section(section: __main__.Section) → None
+SearchPatternCommand.search_binpattern_by_addresssearch_binpattern_by_address(
+ binpattern: bytes,
+ start_address: int,
+ end_address: int
+) → List[Tuple[int, int, Optional[str]]]
+Search a binary pattern within a range defined by arguments.
+SearchPatternCommand.search_patternsearch_pattern(pattern: str, section_name: str) → None
+Search a pattern within the whole userland memory.
+SearchPatternCommand.search_pattern_by_addresssearch_pattern_by_address(
+ pattern: str,
+ start_address: int,
+ end_address: int
+) → List[Tuple[int, int, Optional[str]]]
+Search a pattern within a range defined by arguments.
+SearchPatternCommand.usageusage() → None
+SectionGEF representation of process memory sections.
+Section.__init____init__(**kwargs: Any) → None
+Section.is_executableis_executable() → bool
+Section.is_readableis_readable() → bool
+Section.is_writableis_writable() → bool
+SectionBaseFunctionReturn the matching file's base address plus an optional offset. Defaults to current file. Note that quotes need to be escaped
+SectionBaseFunction.__init____init__() → None
+SectionBaseFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+SectionBaseFunction.do_invokedo_invoke(args: List) → int
+SectionBaseFunction.invokeinvoke(*args: Any) → int
+ShdrShdr.__init____init__(elf: Optional[__main__.Elf], off: int) → None
+ShellcodeCommandShellcodeCommand uses @JonathanSalwan simple-yet-awesome shellcode API to download shellcodes.
+ShellcodeCommand.__init____init__() → None
+Return the list of settings for this command.
+ShellcodeCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ShellcodeCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ShellcodeCommand.do_invokedo_invoke(_: List[str]) → None
+ShellcodeCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ShellcodeCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ShellcodeCommand.invokeinvoke(args: str, from_tty: bool) → None
+ShellcodeCommand.post_loadpost_load() → None
+ShellcodeCommand.pre_loadpre_load() → None
+ShellcodeCommand.usageusage() → None
+ShellcodeGetCommandDownload shellcode from shell-storm's shellcode database.
+ShellcodeGetCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ShellcodeGetCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ShellcodeGetCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ShellcodeGetCommand.do_invokedo_invoke(argv: List[str]) → None
+ShellcodeGetCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ShellcodeGetCommand.get_shellcodeget_shellcode(sid: int) → None
+ShellcodeGetCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ShellcodeGetCommand.invokeinvoke(args: str, from_tty: bool) → None
+ShellcodeGetCommand.post_loadpost_load() → None
+ShellcodeGetCommand.pre_loadpre_load() → None
+ShellcodeGetCommand.usageusage() → None
+ShellcodeSearchCommandSearch pattern in shell-storm's shellcode database.
+ShellcodeSearchCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+ShellcodeSearchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
ShellcodeSearchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
ShellcodeSearchCommand.do_invokedo_invoke(argv: List[str]) → None
+ShellcodeSearchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
ShellcodeSearchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
ShellcodeSearchCommand.invokeinvoke(args: str, from_tty: bool) → None
+ShellcodeSearchCommand.post_loadpost_load() → None
+ShellcodeSearchCommand.pre_loadpre_load() → None
+ShellcodeSearchCommand.search_shellcodesearch_shellcode(search_options: List) → None
+ShellcodeSearchCommand.usageusage() → None
+SkipiCommandSkip N instruction(s) execution
+SkipiCommand.__init____init__() → None
+Return the list of settings for this command.
+SkipiCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
SkipiCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
SkipiCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+SkipiCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
SkipiCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
SkipiCommand.invokeinvoke(args: str, from_tty: bool) → None
+SkipiCommand.post_loadpost_load() → None
+SkipiCommand.pre_loadpre_load() → None
+SkipiCommand.usageusage() → None
+SmartEvalCommandSmartEval: Smart eval (vague approach to mimic WinDBG ?).
SmartEvalCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+SmartEvalCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
SmartEvalCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
SmartEvalCommand.distancedistance(args: Tuple[str, str]) → None
+SmartEvalCommand.do_invokedo_invoke(argv: List[str]) → None
+SmartEvalCommand.evaluateevaluate(expr: List[str]) → None
+SmartEvalCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
SmartEvalCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
SmartEvalCommand.invokeinvoke(args: str, from_tty: bool) → None
+SmartEvalCommand.post_loadpost_load() → None
+SmartEvalCommand.pre_loadpre_load() → None
+SmartEvalCommand.usageusage() → None
+SolveKernelSymbolCommandSolve kernel symbols from kallsyms table.
+SolveKernelSymbolCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+SolveKernelSymbolCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
SolveKernelSymbolCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
SolveKernelSymbolCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+SolveKernelSymbolCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
SolveKernelSymbolCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
SolveKernelSymbolCommand.invokeinvoke(args: str, from_tty: bool) → None
+SolveKernelSymbolCommand.post_loadpost_load() → None
+SolveKernelSymbolCommand.pre_loadpre_load() → None
+SolveKernelSymbolCommand.usageusage() → None
+StackOffsetFunctionReturn the current stack base address plus an optional offset.
+StackOffsetFunction.__init____init__() → None
+StackOffsetFunction.arg_to_longarg_to_long(args: List, index: int, default: int = 0) → int
+StackOffsetFunction.do_invokedo_invoke(args: List) → int
+StackOffsetFunction.invokeinvoke(*args: Any) → int
+StubBreakpointCreate a breakpoint to permanently disable a call (fork/alarm/signal/etc.).
+StubBreakpoint.__init____init__(func: str, retval: Optional[int]) → None
+StubBreakpoint.stopstop() → bool
+StubCommandStub out the specified function. This function is useful when needing to skip one function to be called and disrupt your runtime flow (ex. fork).
+StubCommand.__init____init__() → None
+Return the list of settings for this command.
+StubCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
StubCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
StubCommand.wrapperwrapper(*args: Any, **kwargs: Any) → Callable
+StubCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
StubCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
StubCommand.invokeinvoke(args: str, from_tty: bool) → None
+StubCommand.post_loadpost_load() → None
+StubCommand.pre_loadpre_load() → None
+StubCommand.usageusage() → None
+TraceFreeBreakpointTrack calls to free() and attempts to detect inconsistencies.
+TraceFreeBreakpoint.__init____init__() → None
+TraceFreeBreakpoint.stopstop() → bool
+TraceFreeRetBreakpointInternal temporary breakpoint to track free()d values.
+TraceFreeRetBreakpoint.__init____init__(addr: int) → None
+TraceFreeRetBreakpoint.stopstop() → bool
+TraceMallocBreakpointTrack allocations done with malloc() or calloc().
+TraceMallocBreakpoint.__init____init__(name: str) → None
+TraceMallocBreakpoint.stopstop() → bool
+TraceMallocRetBreakpointInternal temporary breakpoint to retrieve the return value of malloc().
+TraceMallocRetBreakpoint.__init____init__(size: int, name: str) → None
+TraceMallocRetBreakpoint.stopstop() → bool
+TraceReallocBreakpointTrack re-allocations done with realloc().
+TraceReallocBreakpoint.__init____init__() → None
+TraceReallocBreakpoint.stopstop() → bool
+TraceReallocRetBreakpointInternal temporary breakpoint to retrieve the return value of realloc().
+TraceReallocRetBreakpoint.__init____init__(ptr: int, size: int) → None
+TraceReallocRetBreakpoint.stopstop() → bool
+TraceRunCommandCreate a runtime trace of all instructions executed from $pc to LOCATION specified. The trace is stored in a text file that can be next imported in IDA Pro to visualize the runtime path.
+TraceRunCommand.__init____init__() → None
+Return the list of settings for this command.
+TraceRunCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
TraceRunCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
TraceRunCommand.do_invokedo_invoke(argv: List[str]) → None
+TraceRunCommand.get_frames_sizeget_frames_size() → int
+TraceRunCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
TraceRunCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
TraceRunCommand.invokeinvoke(args: str, from_tty: bool) → None
+TraceRunCommand.post_loadpost_load() → None
+TraceRunCommand.pre_loadpre_load() → None
+TraceRunCommand.start_tracingstart_tracing(loc_start: int, loc_end: int, depth: int) → None
+TraceRunCommand.tracetrace(loc_start: int, loc_end: int, depth: int) → None
+TraceRunCommand.usageusage() → None
+UafWatchpointCustom watchpoints set TraceFreeBreakpoint() to monitor free()d pointers being used.
+UafWatchpoint.__init____init__(addr: int) → None
+UafWatchpoint.stopstop() → bool
+If this method is triggered, we likely have a UaF. Break the execution and report it.
+VMMapCommandDisplay a comprehensive layout of the virtual memory mapping. If a filter argument, GEF will filter out the mapping whose pathname do not match that filter.
+VMMapCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+VMMapCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
VMMapCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
VMMapCommand.do_invokedo_invoke(argv: List[str]) → None
+VMMapCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
VMMapCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
VMMapCommand.invokeinvoke(args: str, from_tty: bool) → None
+VMMapCommand.is_integeris_integer(n: str) → bool
+VMMapCommand.post_loadpost_load() → None
+VMMapCommand.pre_loadpre_load() → None
+VMMapCommand.print_entryprint_entry(entry: __main__.Section) → None
+VMMapCommand.show_legendshow_legend() → None
+VMMapCommand.usageusage() → None
+VersionCommandDisplay GEF version info.
+VersionCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+VersionCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
VersionCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
VersionCommand.do_invokedo_invoke(argv: List[str]) → None
+VersionCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
VersionCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
VersionCommand.invokeinvoke(args: str, from_tty: bool) → None
+VersionCommand.post_loadpost_load() → None
+VersionCommand.pre_loadpre_load() → None
+VersionCommand.usageusage() → None
+X86X86.canary_addresscanary_address() → int
+X86.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+X86.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+X86.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+X86.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+X86.is_callis_call(insn: __main__.Instruction) → bool
+X86.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+X86.is_retis_ret(insn: __main__.Instruction) → bool
+X86.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+X86.registerregister(name: str) → int
+X86.reset_cachesreset_caches() → None
+X86.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
X86_64X86_64.canary_addresscanary_address() → int
+X86_64.flag_register_to_humanflag_register_to_human(val: Optional[int] = None) → str
+X86_64.get_ith_parameterget_ith_parameter(i: int, in_func: bool = True) → Tuple[str, Optional[int]]
+Retrieves the correct parameter used for the current function call.
+X86_64.get_raget_ra(insn: __main__.Instruction, frame: 'gdb.Frame') → Optional[int]
+X86_64.is_branch_takenis_branch_taken(insn: __main__.Instruction) → Tuple[bool, str]
+X86_64.is_callis_call(insn: __main__.Instruction) → bool
+X86_64.is_conditional_branchis_conditional_branch(insn: __main__.Instruction) → bool
+X86_64.is_retis_ret(insn: __main__.Instruction) → bool
+X86_64.mprotect_asmmprotect_asm(addr: int, size: int, perm: __main__.Permission) → str
+X86_64.registerregister(name: str) → int
+X86_64.reset_cachesreset_caches() → None
+X86_64.supports_gdb_archsupports_gdb_arch(gdb_arch: str) → Optional[bool]
+If implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
XAddressInfoCommandRetrieve and display runtime information for the location(s) given as parameter.
+XAddressInfoCommand.__init____init__() → None
+Return the list of settings for this command.
+XAddressInfoCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
XAddressInfoCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
XAddressInfoCommand.do_invokedo_invoke(argv: List[str]) → None
+XAddressInfoCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
XAddressInfoCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
XAddressInfoCommand.infosinfos(address: int) → None
+XAddressInfoCommand.invokeinvoke(args: str, from_tty: bool) → None
+XAddressInfoCommand.post_loadpost_load() → None
+XAddressInfoCommand.pre_loadpre_load() → None
+XAddressInfoCommand.usageusage() → None
+XFilesCommandShows all libraries (and sections) loaded by binary. This command extends the GDB command info files, by retrieving more information from extra sources, and providing a better display. If an argument FILE is given, the output will grep information related to only that file. If an argument name is also given, the output will grep to the name within FILE.
XFilesCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+XFilesCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
XFilesCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
XFilesCommand.do_invokedo_invoke(argv: List[str]) → None
+XFilesCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
XFilesCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
XFilesCommand.invokeinvoke(args: str, from_tty: bool) → None
+XFilesCommand.post_loadpost_load() → None
+XFilesCommand.pre_loadpre_load() → None
+XFilesCommand.usageusage() → None
+XorMemoryCommandXOR a block of memory. The command allows to simply display the result, or patch it runtime at runtime.
+XorMemoryCommand.__init____init__() → None
+Return the list of settings for this command.
+XorMemoryCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
XorMemoryCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
XorMemoryCommand.do_invokedo_invoke(_: List[str]) → None
+XorMemoryCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
XorMemoryCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
XorMemoryCommand.invokeinvoke(args: str, from_tty: bool) → None
+XorMemoryCommand.post_loadpost_load() → None
+XorMemoryCommand.pre_loadpre_load() → None
+XorMemoryCommand.usageusage() → None
+XorMemoryDisplayCommandDisplay a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be provided in hexadecimal format.
+XorMemoryDisplayCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+XorMemoryDisplayCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
XorMemoryDisplayCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
XorMemoryDisplayCommand.do_invokedo_invoke(argv: List[str]) → None
+XorMemoryDisplayCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
XorMemoryDisplayCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
XorMemoryDisplayCommand.invokeinvoke(args: str, from_tty: bool) → None
+XorMemoryDisplayCommand.post_loadpost_load() → None
+XorMemoryDisplayCommand.pre_loadpre_load() → None
+XorMemoryDisplayCommand.usageusage() → None
+XorMemoryPatchCommandPatch a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be provided in hexadecimal format.
+XorMemoryPatchCommand.__init____init__(*args: Any, **kwargs: Any) → None
+Return the list of settings for this command.
+XorMemoryPatchCommand.add_settingadd_setting(
+ name: str,
+ value: Tuple[Any, type, str],
+ description: str = ''
+) → None
+add_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] = value instead
XorMemoryPatchCommand.del_settingdel_setting(name: str) → None
+del_setting is DEPRECATED and will be removed in the future.
+ Use del self[setting_name] instead
XorMemoryPatchCommand.do_invokedo_invoke(argv: List[str]) → None
+XorMemoryPatchCommand.get_settingget_setting(name: str) → Any
+get_setting is DEPRECATED and will be removed in the future.
+ Use self[setting_name] instead
XorMemoryPatchCommand.has_settinghas_setting(name: str) → bool
+has_setting is DEPRECATED and will be removed in the future.
+ Use setting_name in self instead
XorMemoryPatchCommand.invokeinvoke(args: str, from_tty: bool) → None
+XorMemoryPatchCommand.post_loadpost_load() → None
+XorMemoryPatchCommand.pre_loadpre_load() → None
+XorMemoryPatchCommand.usageusage() → None
+ZoneZone(name, zone_start, zone_end, filename)
+classpropertyMake the attribute a classproperty.
This file was automatically generated via lazydocs.
+ + + + + + +GEF intends to provide a battery-included, quickly installable and crazy fast debugging
+environment sitting on top of GDB.
But it most importantly provides all the primitives required to allow hackers to quickly create
+their own commands. This page intends to summarize how to create advanced GDB commands in moments
+using GEF as a library.
A dedicated repository was born to host external
+scripts. This repo is open to all for
+contributions, no restrictions and the most valuable ones will be integrated into gef.py.
Here is the most basic skeleton for creating a new GEF command named newcmd:
class NewCommand(GenericCommand):
+ """Dummy new command."""
+ _cmdline_ = "newcmd"
+ _syntax_ = f"{_cmdline_}"
+
+ @only_if_gdb_running # not required, ensures that the debug session is started
+ def do_invoke(self, argv):
+ # let's say we want to print some info about the architecture of the current binary
+ print(f"gef.arch={gef.arch}")
+ # or showing the current $pc
+ print(f"gef.arch.pc={gef.arch.pc:#x}")
+ return
+
+register_external_command(NewCommand())
+Loading it in GEF is as easy as
gef➤ source /path/to/newcmd.py
+[+] Loading 'NewCommand'
+We can call it:
+gef➤ newcmd
+gef.arch=<__main__.X86_64 object at 0x7fd5583571c0>
+gef.arch.pc=0x55555555a7d0
+Yes, that's it! Check out the complete API to see what else GEF offers.
+Our new command must be a class that inherits from GEF's GenericCommand. The only requirements are:
_cmdline_ attribute (the command to type on the GDB prompt)._syntax_ attribute, which GEF will use to auto-generate the help menu.do_invoke(self, args) which will be executed when the command is invoked. args is a
+ list of the command line args provided when invoked.We make GEF aware of this new command by registering it in the __main__ section of the script, by
+invoking the global function register_external_command().
Now you have a new GEF command which you can load, either from cli:
+gef➤ source /path/to/newcmd.py
+or add to your ~/.gdbinit:
$ echo source /path/to/newcmd.py >> ~/.gdbinit
+Sometimes you want something similar to a command to run on each break-like event and display itself +as a part of the GEF context. Here is a simple example of how to make a custom context pane:
+__start_time__ = int(time.time())
+def wasted_time_debugging():
+ gef_print("You have wasted {} seconds!".format(int(time.time()) - __start_time__))
+
+def wasted_time_debugging_title():
+ return "wasted:time:debugging:{}".format(int(time.time()) - __start_time__)
+
+register_external_context_pane("wasted_time_debugging", wasted_time_debugging, wasted_time_debugging_title)
+Loading it in GEF is as easy as loading a command
gef➤ source /path/to/custom_context_pane.py
+It can even be included in the same file as a Command. Now on each break you will notice a new pane
+near the bottom of the context. The order can be modified in the GEF context config.
The API demonstrated above requires very specific argument types:
+register_external_context_pane(pane_name, display_pane_function, pane_title_function)
pane_name: a string that will be used as the panes setting namedisplay_pane_function: a function that uses gef_print() to print content in the panepane_title_function: a function that returns the title string or None to hide the titleSome of the most important parts of the API for creating new commands are mentioned (but not limited
+to) below. To see the full help of a function, open GDB and GEF, and use the embedded Python
+interpreter's help command.
For example:
+gef➤ pi help(Architecture)
+or even from outside GDB:
+$ gdb -q -ex 'pi help(hexdump)' -ex quit
+The GEF API aims to provide a simpler and more Pythonic approach to GDB's.
+Some basic examples: +- read the memory
+gef ➤ pi print(hexdump( gef.memory.read(parse_address("$pc"), length=0x20 )))
+0x0000000000000000 f3 0f 1e fa 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 ....1.I..^H..H..
+0x0000000000000010 f0 50 54 4c 8d 05 66 0d 01 00 48 8d 0d ef 0c 01 .PTL..f...H.....
+gef ➤ pi print('\n'.join([ f"{x.page_start:#x} -> {x.page_end:#x}" for x in gef.memory.maps]))
+0x555555554000 -> 0x555555558000
+0x555555558000 -> 0x55555556c000
+0x55555556c000 -> 0x555555575000
+0x555555576000 -> 0x555555577000
+0x555555577000 -> 0x555555578000
+0x555555578000 -> 0x55555559a000
+0x7ffff7cd8000 -> 0x7ffff7cda000
+0x7ffff7cda000 -> 0x7ffff7ce1000
+0x7ffff7ce1000 -> 0x7ffff7cf2000
+0x7ffff7cf2000 -> 0x7ffff7cf7000
+[...]
+The API also offers a number of decorators to simplify the creation of new/existing commands, such as:
+- @only_if_gdb_running to execute only if a GDB session is running.
+- @only_if_gdb_target_local to check if the target is local i.e. not debugging using GDB remote.
+- and many more...
For a complete reference of the API offered by GEF, visit docs/api/gef.md.
@parse_arguments( {"required_argument_1": DefaultValue1, ...}, {"--optional-argument-1": DefaultValue1, ...} )
+This decorator aims to facilitate the argument passing to a command. If added, it will use the
+argparse module to parse arguments, and will store them in the kwargs["arguments"] of the
+calling function (therefore the function must have *args, **kwargs added to its signature).
+Argument type is inferred directly from the default value except for boolean, where a value of
+True corresponds to argparse's store_true action. For more details on argparse, refer to its
+Python documentation.
Values given for the parameters also allow list of arguments being past. This can be useful in the
+case where the number of exact option values is known in advance. This can be achieved simply by
+using a type of tuple or list for the default value. parse_arguments will determine the type
+of what to expect based on the first default value of the iterable, so make sure it's not empty. For
+instance:
@parse_arguments( {"instructions": ["nop", "int3", "hlt"], }, {"--arch": "x64", } )
+Argument flags are also supported, allowing to write simpler version of the flag such as
+@parse_arguments( {}, {("--long-argument", "-l"): value, } )
+A basic example would be as follow:
+class MyCommand(GenericCommand):
+ [...]
+
+ @parse_arguments({"foo": [1,]}, {"--bleh": "", ("--blah", "-l): True})
+ def do_invoke(self, argv, *args, **kwargs):
+ args = kwargs["arguments"]
+ if args.foo == 1: ...
+ if args.blah == True: ...
+When the user enters the following command:
+gef➤ mycommand --blah 3 14 159 2653
+The function MyCommand!do_invoke() can use the command line argument value
args.foo --> [3, 14, 159, 2653] # a List(int) from user input
+args.bleh --> "" # the default value
+args.blah --> True # set to True because user input declared the option (would have been False otherwise)
+Support for new architectures can be added by inheriting from the Architecture class. Examples can
+be found in gef-extras.
Sometimes architectures can more precisely determine whether they apply to the current target by
+looking at the architecture determined by gdb. For these cases the custom architecture may implement
+the supports_gdb_arch() static function to signal that they should be used instead of the default.
+The function receives only one argument:
+- gdb_str (of type str) which is the architecture name as reported by GDB.
The function must return:
+- True if the current Architecture class supports the target binary; False otherwise.
+- None to simply ignore this check and let GEF try to determine the architecture.
One example is the ARM Cortex-M architecture which in some cases should be used over the generic ARM +one:
+@staticmethod
+def supports_gdb_arch(gdb_arch: str) -> Optional[bool]:
+ return bool(re.search("^armv.*-m$", gdb_arch))
+aliasesBase command to add, remove, and list GEF defined aliases.
gef➤ aliases
+aliases (add|rm|list)
+GEF defines its own aliasing mechanism which overrides the traditional alias that GDB provides
+through the built-in command alias. To add a new alias, simply use the aliases add command. The
+"command" parameter may contain spaces.
aliases add [alias] [command]
+To remove an alias, simply use the aliases rm command.
aliases rm [alias]
+One can list aliases by using the aliases ls command. Some sample output of this command is seen
+below.
[+] Aliases defined:
+fmtstr-helper → format-string-helper
+telescope → dereference
+dps → dereference
+dq → hexdump qword
+dd → hexdump dword
+dw → hexdump word
+dc → hexdump byte
+cs-dis → capstone-disassemble
+ctx → context
+start-break → entry-break
+ps → process-search
+[...]
+Users can also create/modify/delete aliases by editing the GEF configuration file, by default
+located at ~/.gef.rc. The aliases must be in the aliases section of the configuration file.
Creating a new alias is as simple as creating a new entry in this section:
+$ nano ~/.gef.rc
+[...]
+[aliases]
+my-new-alias = gdb-or-gef-command <arg1> <arg2> <etc...>
+For example, for those (like me) who use WinDBG and like its bindings, they can be integrated into +GDB via GEF aliases like this:
+$ nano ~/.gef.rc
+[...]
+[aliases]
+# some windbg aliases
+dps = dereference
+dq = hexdump qword
+dd = hexdump dword
+dw = hexdump word
+dc = hexdump byte
+dt = pcustom
+bl = info breakpoints
+bp = break
+be = enable breakpoints
+bd = disable breakpoints
+bc = delete breakpoints
+tbp = tbreak
+tba = thbreak
+pa = advance
+ptc = finish
+t = stepi
+p = nexti
+g = gef run
+uf = disassemble
+Or here are some PEDA aliases for people used to using PEDA who made the smart move to GEF.
# some peda aliases
+telescope = dereference
+start = entry-break
+stack = dereference -l 10 $sp
+argv = show args
+kp = info stack
+findmem = search-pattern
+The aliases will be loaded next time you load GDB (and GEF). Or you can force GEF to reload the
+settings with the command:
gef➤ gef restore
+aslrEasily check, enable or disable ASLR on the debugged binary.
+Check the status:
+gef➤ aslr
+ASLR is currently disabled
+Activate ASLR:
+gef➤ aslr on
+[+] Enabling ASLR
+gef➤ aslr
+ASLR is currently enabled
+De-activate ASLR:
+gef➤ aslr off
+[+] Disabling ASLR
+Note: This command cannot affect a process that has already been loaded, to which GDB attached
+to later. The only way to disable this randomization is by setting the kernel setting
+/proc/sys/kernel/randomize_va_space to 0..
canaryIf the currently debugged process was compiled with the Smash Stack Protector (SSP) - i.e. the
+-fstack-protector flag was passed to the compiler, this command will display the value of the
+canary. This makes it convenient to avoid manually searching for this value in memory.
The command canary does not take any arguments.
gef➤ canary
+
checksecThe checksec command is inspired from checksec.sh.
+It provides a convenient way to determine which security protections are enabled in a binary.
You can use the command on the currently debugged process:
+gef➤ checksec
+[+] checksec for '/vagrant/test-bin'
+Canary: No
+NX Support: Yes
+PIE Support: No
+No RPATH: Yes
+No RUNPATH: Yes
+Partial RelRO: Yes
+Full RelRO: No
+Or specify directly the binary to check, for example:
+$ gdb -ex "checksec ./tests/test-x86"
+gef configgef reads its config from a file which is by default located at ~/.gef.rc, but which can also be
+specified via the GEF_RC environment variable. In addition, gef can also be configured at
+runtime with the gef config command.
To view all settings for all commands loaded:
+gef➤ gef config
+
Or to get one setting value:
+gef➤ gef config pcustom.struct_path
+Of course you can edit the values. For example, if you want the screen to be cleared before +displaying the current context when reaching a breakpoing:
+gef➤ gef config context.clear_screen 1
+To save the current settings for GEF to the file system to have those options persist across all
+your future GEF sessions, simply run:
gef➤ gef save
+[+] Configuration saved to '/home/vagrant/.gef.rc'
+Upon startup, if $GEF_RC points to an existing file, or otherwise if ${HOME}/.gef.rc exists,
+gef will automatically load its values.
To reload the settings during the session, just run:
+gef➤ gef restore
+[+] Configuration from '/home/hugsy/.gef.rc' restored
+You can tweak this configuration file outside your gdb session to suit your needs.
context
gef (not unlike PEDA or fG! famous gdbinit) provides comprehensive context menu when hitting a
+breakpoint.
reg
+ command.As well as using the built-in context panes, you can add your own custom pane that will be displayed
+at each break-like event with all the other panes. Custom panes can be added using the API:
register_external_context_pane(pane_name, display_pane_function, pane_title_function)
+Check the API documentation to see a full usage of the registration API.
+gef allows you to configure your own setup for the display, by re-arranging the order with which
+contexts will be displayed.
gef➤ gef config context.layout
+There are currently 6 sections that can be displayed:
+legend : a text explanation of the color coderegs : the state of registersstack : the content of memory pointed by $sp registercode : the code being executedargs : if stopping at a function calls, print the call argumentssource : if compiled with source, this will show the corresponding line of source codethreads : all the threadstrace : the execution call traceextra : if an automatic behavior is detected (vulnerable format string, heap vulnerability,
+ etc.) it will be displayed in this panememory : peek into arbitrary memory locationsTo hide a section, simply use the context.layout setting, and prepend the section name with - or
+just omit it.
gef➤ gef config context.layout "-legend regs stack code args -source -threads -trace extra memory"
+This configuration will not display the legend, source, threads, and trace sections.
The memory pane will display the content of all locations specified by the
+memory command. For instance,
gef➤ memory watch $sp 0x40 byte
+will print a hexdump version of 0x40 bytes of the stack. This command makes it convenient for
+tracking the evolution of arbitrary locations in memory. Tracked locations can be removed one by one
+using memory unwatch, or altogether with memory reset.
The size of most sections are also customizable:
+nb_lines_stack configures how many lines of the stack to show.nb_lines_backtrack configures how many lines of the backtrace to show.nb_lines_code and nb_lines_code_prev configure how many lines to show after and before the PC,
+ respectively.context.nb_lines_threads determines the number of lines to display inside the thread pane. This
+ is convenient when debugging heavily multi-threaded applications (apache2, firefox, etc.). It
+ receives an integer as value: if this value is -1 then all threads state will be displayed.
+ Otherwise, if the value is set to N, then at most N thread states will be shown.To have the stack displayed with the largest stack addresses on top (i.e., grow the stack downward), +enable the following setting:
+gef➤ gef config context.grow_stack_down True
+If the saved instruction pointer is not within the portion of the stack being displayed, then a +section is created that includes the saved ip and depending on the architecture the frame pointer.
+0x00007fffffffc9e8│+0x00: 0x00007ffff7a2d830 → <__main+240> mov edi, eax ($current_frame_savedip)
+0x00007fffffffc9e0│+0x00: 0x00000000004008c0 → <__init+0> push r15 ← $rbp
+. . . (440 bytes skipped)
+0x00007fffffffc7e8│+0x38: 0x0000000000000000
+0x00007fffffffc7e0│+0x30: 0x0000000000000026 ("&"?)
+0x00007fffffffc7d8│+0x28: 0x0000000001958ac0
+0x00007fffffffc7d0│+0x20: 0x00007ffff7ffa2b0 → 0x5f6f7364765f5f00
+0x00007fffffffc7c8│+0x18: 0x00007fff00000000
+0x00007fffffffc7c0│+0x10: 0x00007fffffffc950 → 0x0000000000000000
+0x00007fffffffc7b8│+0x08: 0x0000000000000000
+0x00007fffffffc7b0│+0x00: 0x00007fffffffc7e4 → 0x0000000000000000 ← $rsp
+By default, the gef context will be displayed on the current TTY. This can be overridden by
+setting context.redirect variable to have the context sent to another section.
To do so, select the TTY/file/socket/etc. you want the context redirected to with gef config.
Enter the command tty in the prompt:
$ tty
+/dev/pts/0
+Then tell gef about it!
gef➤ gef config context.redirect /dev/pts/0
+Enjoy:
+
To go back to normal, remove the value:
+gef➤ gef config context.redirect ""
+You can display a single section by specifying it as an argument:
+gef➤ context regs
+Multiple sections can be provided, even if they are not part of the current layout:
+gef➤ context regs stack
+gef➤ gef config context.layout "code regs stack"
+gef➤ gef config context.enable 0
+gef➤ gef config context.clear_screen 1
+regs section (more compact):gef➤ gef config context.show_registers_raw 1
+gef➤ gef config context.show_opcodes_size 4
+gef➤ gef config context.peek_calls False
+gef➤ gef config context.ignore_registers "$cs $ds $gs"
+gef➤ gef config context.show_source_code_variable_values 0
+gef➤ gef config context.libc_args True
+gef➤ gef config context.libc_args_path /path/to/gef-extras/libc_args
+dereferenceThe dereference command (also aliased telescope for PEDA former users) aims to simplify the
+dereferencing of an address in GDB to determine the content it actually points to.
It is a useful convienence function to spare to process of manually tracking values with successive
+x/x in GDB.
dereference takes three optional arguments, a start address (or symbol or register, etc) to
+dereference (by default, $sp), the number of consecutive addresses to dereference (by default,
+10) and the base location for offset calculation (by default the same as the start address):
gef➤ dereference
+0x00007fffffffdec0│+0x0000: 0x00007ffff7ffe190 → 0x0000555555554000 → jg 0x555555554047 ← $rsp, $r13
+0x00007fffffffdec8│+0x0008: 0x00007ffff7ffe730 → 0x00007ffff7fd3000 → 0x00010102464c457f
+0x00007fffffffded0│+0x0010: 0x00007ffff7faa000 → 0x00007ffff7de9000 → 0x03010102464c457f
+0x00007fffffffded8│+0x0018: 0x00007ffff7ffd9f0 → 0x00007ffff7fd5000 → 0x00010102464c457f
+0x00007fffffffdee0│+0x0020: 0x00007fffffffdee0 → [loop detected]
+0x00007fffffffdee8│+0x0028: 0x00007fffffffdee0 → 0x00007fffffffdee0 → [loop detected]
+0x00007fffffffdef0│+0x0030: 0x00000000f7fa57e3
+0x00007fffffffdef8│+0x0038: 0x0000555555755d60 → 0x0000555555554a40 → cmp BYTE PTR [rip+0x201601], 0x0 # 0x555555756048
+0x00007fffffffdf00│+0x0040: 0x0000000000000004
+0x00007fffffffdf08│+0x0048: 0x0000000000000001
+Here is an example with arguments:
+gef➤ telescope $rbp+0x10 -l 8
+0x00007fffffffdf40│+0x0000: 0x00007ffff7fa5760 → 0x00000000fbad2887
+0x00007fffffffdf48│+0x0008: 0x00000001f7e65b63
+0x00007fffffffdf50│+0x0010: 0x0000000000000004
+0x00007fffffffdf58│+0x0018: 0x0000000000000000
+0x00007fffffffdf60│+0x0020: 0x00007fffffffdfa0 → 0x0000555555554fd0 → push r15
+0x00007fffffffdf68│+0x0028: 0x0000555555554980 → xor ebp, ebp
+0x00007fffffffdf70│+0x0030: 0x00007fffffffe080 → 0x0000000000000001
+0x00007fffffffdf78│+0x0038: 0x0000000000000000
+It also optionally accepts a second argument, the number of consecutive addresses to dereference (by
+default, 10).
For example, if you want to dereference all the stack entries inside a function context (on a 64bit +architecture):
+gef➤ p ($rbp - $rsp)/8
+$3 = 4
+gef➤ dereference -l 5
+0x00007fffffffe170│+0x0000: 0x0000000000400690 → push r15 ← $rsp
+0x00007fffffffe178│+0x0008: 0x0000000000400460 → xor ebp, ebp
+0x00007fffffffe180│+0x0010: 0x00007fffffffe270 → 0x1
+0x00007fffffffe188│+0x0018: 0x1
+0x00007fffffffe190│+0x0020: 0x0000000000400690 → push r15 ← $rbp
+It is possible to change the offset calculation to use a different address than the start address:
+gef➤ dereference $sp -l 7 -r $rbp
+0x00007ffe6ddaa3e0│-0x0030: 0x0000000000000000 ← $rsp
+0x00007ffe6ddaa3e8│-0x0028: 0x0000000000400970 → <__libc_csu_init+0> push r15
+0x00007ffe6ddaa3f0│-0x0020: 0x0000000000000000
+0x00007ffe6ddaa3f8│-0x0018: 0x00000000004006e0 → <_start+0> xor ebp, ebp
+0x00007ffe6ddaa400│-0x0010: 0x00007ffe6ddaa500 → 0x0000000000000001
+0x00007ffe6ddaa408│-0x0008: 0xa42456b3ee465800
+0x00007ffe6ddaa410│+0x0000: 0x0000000000000000 ← $rbp
+Just like with x, you can pass a negative number of addresses to dereference, to examine memory
+backwards from the start address:
gef➤ dereference $sp -l 3
+0x00007fffffffcf90│+0x0010: 0x00007ffff7f5aaa0 → 0x0000000000000000
+0x00007fffffffcf88│+0x0008: 0x00000000000204a0
+0x00007fffffffcf80│+0x0000: 0x00005555555a6b60 → 0x0000000000000000 ← $rsp
+gef➤ dereference $sp -l -3
+0x00007fffffffcf80│+0x0000: 0x00005555555a6b60 → 0x0000000000000000 ← $rsp
+0x00007fffffffcf78│-0x0008: 0x0000000000000020 (" "?)
+0x00007fffffffcf70│-0x0010: 0x000000000000000a ("\n"?)
+edit-flagsThe edit-flags command (alias: flags) provides a quick and comprehensible way to view and edit
+the flag register for the architectures that support it. Without argument, the command will simply
+return a human-friendly display of the register flags.
One or many arguments can be provided, following the syntax below:
+gef➤ flags [(+|-|~)FLAGNAME ...]
+Where FLAGNAME is the name of the flag (case insensitive), and +|-|~ indicates the action on
+whether to set, unset, or toggle the flag.
For instance, on x86 architecture, if we don't want to take a conditional jump (e.g. a jz
+instruction), but we want to have the Carry flag set, simply go with:
gef➤ flags -ZERO +CARRY
+
elf-infoelf-info (alias elf) provides some basic information on the currently loaded ELF binary:
gef➤ elf
+Magic : 7f 45 4c 46
+Class : 0x2 - 64-bit
+Endianness : 0x1 - Little-Endian
+Version : 0x1
+OS ABI : 0x0 - System V
+ABI Version : 0x0
+Type : 0x2 - Executable
+Machine : 0x3e - x86-64
+Program Header Table : 0x0000000000000040
+Section Header Table : 0x00000000000021a8
+Header Table : 0x0000000000000040
+ELF Version : 0x1
+Header size : 64 (0x40)
+Entry point : 0x0000000000400750
+
+────────────────────────────────────────── Program Header ──────────────────────────────────────────
+ [ #] Type Offset Virtaddr Physaddr FileSiz MemSiz Flags Align
+ [ 0] PHDR 0x40 0x400040 0x400040 0x1f8 0x1f8 R-X 0x8
+ [ 1] INTERP 0x238 0x400238 0x400238 0x1c 0x1c R-- 0x1
+ [ 2] LOAD 0x0 0x400000 0x400000 0x1414 0x1414 R-X 0x200000
+ [ 3] LOAD 0x1e10 0x601e10 0x601e10 0x268 0x330 RW- 0x200000
+ [ 4] DYNAMIC 0x1e28 0x601e28 0x601e28 0x1d0 0x1d0 RW- 0x8
+ [ 5] NOTE 0x254 0x400254 0x400254 0x44 0x44 R-- 0x4
+ [ 6] GNU_EH_FLAME 0x11a0 0x4011a0 0x4011a0 0x74 0x74 R-- 0x4
+ [ 7] GNU_STACK 0x0 0x0 0x0 0x0 0x0 RW- 0x10
+ [ 8] GNU_RELRO 0x1e10 0x601e10 0x601e10 0x1f0 0x1f0 R-- 0x1
+
+────────────────────────────────────────── Section Header ──────────────────────────────────────────
+ [ #] Name Type Address Offset Size EntSiz Flags Link Info Align
+ [ 0] NULL 0x0 0x0 0x0 0x0 0x0 0x0 0x0
+ [ 1] .interp PROGBITS 0x400238 0x238 0x1c 0x0 A 0x0 0x0 0x1
+ [ 2] .note.ABI-tag NOTE 0x400254 0x254 0x20 0x0 A 0x0 0x0 0x4
+ [ 3] .note.gnu.build-id NOTE 0x400274 0x274 0x24 0x0 A 0x0 0x0 0x4
+ [ 4] .gnu.hash GNU_HASH 0x400298 0x298 0x30 0x0 A 0x5 0x0 0x8
+ [ 5] .dynsym DYNSYM 0x4002c8 0x2c8 0x168 0x18 A 0x6 0x1 0x8
+ [ 6] .dynstr STRTAB 0x400430 0x430 0x96 0x0 A 0x0 0x0 0x1
+ [ 7] .gnu.version HIOS 0x4004c6 0x4c6 0x1e 0x2 A 0x5 0x0 0x2
+ [ 8] .gnu.version_r GNU_verneed 0x4004e8 0x4e8 0x30 0x0 A 0x6 0x1 0x8
+ [ 9] .rela.dyn RELA 0x400518 0x518 0x60 0x18 A 0x5 0x0 0x8
+ [10] .rela.plt RELA 0x400578 0x578 0xf0 0x18 AI 0x5 0x18 0x8
+ [11] .init PROGBITS 0x400668 0x668 0x1a 0x0 AX 0x0 0x0 0x4
+ [12] .plt PROGBITS 0x400690 0x690 0xb0 0x10 AX 0x0 0x0 0x10
+ [13] .plt.got PROGBITS 0x400740 0x740 0x8 0x0 AX 0x0 0x0 0x8
+ [14] .text PROGBITS 0x400750 0x750 0x842 0x0 AX 0x0 0x0 0x10
+ [15] .fini PROGBITS 0x400f94 0xf94 0x9 0x0 AX 0x0 0x0 0x4
+ [16] .rodata PROGBITS 0x400fa0 0xfa0 0x200 0x0 A 0x0 0x0 0x8
+ [17] .eh_frame_hdr PROGBITS 0x4011a0 0x11a0 0x74 0x0 A 0x0 0x0 0x4
+ [18] .eh_frame PROGBITS 0x401218 0x1218 0x1fc 0x0 A 0x0 0x0 0x8
+ [19] .init_array INIT_ARRAY 0x601e10 0x1e10 0x8 0x0 WA 0x0 0x0 0x8
+ [20] .fini_array FINI_ARRAY 0x601e18 0x1e18 0x8 0x0 WA 0x0 0x0 0x8
+ [21] .jcr PROGBITS 0x601e20 0x1e20 0x8 0x0 WA 0x0 0x0 0x8
+ [22] .dynamic DYNAMIC 0x601e28 0x1e28 0x1d0 0x10 WA 0x6 0x0 0x8
+ [23] .got PROGBITS 0x601ff8 0x1ff8 0x8 0x8 WA 0x0 0x0 0x8
+ [24] .got.plt PROGBITS 0x602000 0x2000 0x68 0x8 WA 0x0 0x0 0x8
+ [25] .data PROGBITS 0x602068 0x2068 0x10 0x0 WA 0x0 0x0 0x8
+ [26] .bss NOBITS 0x602080 0x2078 0xc0 0x0 WA 0x0 0x0 0x20
+ [27] .comment PROGBITS 0x0 0x2078 0x34 0x1 MS 0x0 0x0 0x1
+ [28] .shstrtab STRTAB 0x0 0x20ac 0xfc 0x0 0x0 0x0 0x1
+Optionally a filepath to another ELF binary can be provided to view the basic information for that +binary instead.
+gef➤ elf-info --filename /path/to/elf/executable
+entry-breakThe entry-break (alias start) command's goal is to find and break at the most obvious entry
+point available in the binary. Since the binary will start running, some of the PLT entries will
+also be resolved, making further debugging easier.
It will perform the following actions:
+main symbol. If found, set a temporary breakpoint and go.__libc_start_main. If found, set a temporary breakpoint and go.
$The $ command attempts to mimic WinDBG ? command.
When provided one argument, it will evaluate the expression, and try to display the result with +various formats:
+gef➤ $ $pc+1
+93824992252977
+0x555555559431
+0b10101010101010101010101010101011001010000110001
+b'UUUU\x941'
+b'1\x94UUUU'
+
+gef➤ $ -0x1000
+-4096
+0xfffffffffffff000
+0b1111111111111111111111111111111111111111111111111111000000000000
+b'\xff\xff\xff\xff\xff\xff\xf0\x00'
+b'\x00\xf0\xff\xff\xff\xff\xff\xff'
+With two arguments, it will simply compute the delta between them:
+gef➤ vmmap libc
+Start End Offset Perm
+0x00007ffff7812000 0x00007ffff79a7000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.24.so
+0x00007ffff79a7000 0x00007ffff7ba7000 0x0000000000195000 --- /lib/x86_64-linux-gnu/libc-2.24.so
+0x00007ffff7ba7000 0x00007ffff7bab000 0x0000000000195000 r-- /lib/x86_64-linux-gnu/libc-2.24.so
+0x00007ffff7bab000 0x00007ffff7bad000 0x0000000000199000 rw- /lib/x86_64-linux-gnu/libc-2.24.so
+
+gef➤ $ 0x00007ffff7812000 0x00007ffff79a7000
+-1658880
+1658880
+
+gef➤ $ 1658880
+1658880
+0x195000
+0b110010101000000000000
+b'\x19P\x00'
+b'\x00P\x19'
+format-string-helperThe format-string-helper command will create a GEF specific type of breakpoints dedicated to
+detecting potentially insecure format string when using the GlibC library.
It will use this new breakpoint against several targets, including:
+printf()sprintf()fprintf()snprintf()vsnprintf()Just call the command to enable this functionality.
+fmtstr-helper is a shorter alias.
gef➤ fmtstr-helper
+Then start the binary execution.
+gef➤ r
+If a potentially insecure entry is found, the breakpoint will trigger, stop the process execution, +display the reason for trigger and the associated context.
+
functionsThe functions command will list all of the convenience
+functions provided by GEF.
$_base([filepath]) -- Return the matching file's base address plus an optional offset.
+ Defaults to the current file. Note that quotes need to be escaped.$_bss([offset]) -- Return the current bss base address plus the given offset.$_got([offset]) -- Return the current bss base address plus the given offset.$_heap([offset]) -- Return the current heap base address plus an optional offset.$_stack([offset]) -- Return the current stack base address plus an optional offset.These functions can be used as arguments to other commands to dynamically calculate values.
+gef➤ deref -l 4 $_heap()
+0x0000000000602000│+0x00: 0x0000000000000000 ← $r8
+0x0000000000602008│+0x08: 0x0000000000000021 ("!"?)
+0x0000000000602010│+0x10: 0x0000000000000000 ← $rax, $rdx
+0x0000000000602018│+0x18: 0x0000000000000000
+gef➤ deref -l 4 $_heap(0x20)
+0x0000000000602020│+0x00: 0x0000000000000000 ← $rsi
+0x0000000000602028│+0x08: 0x0000000000020fe1
+0x0000000000602030│+0x10: 0x0000000000000000
+0x0000000000602038│+0x18: 0x0000000000000000
+gef➤ deref -l 4 $_base(\"libc\")
+0x00007ffff7da9000│+0x0000: 0x03010102464c457f
+0x00007ffff7da9008│+0x0008: 0x0000000000000000
+0x00007ffff7da9010│+0x0010: 0x00000001003e0003
+0x00007ffff7da9018│+0x0018: 0x0000000000027c60
+gef-remotetarget remote
+is the traditional GDB way of debugging process or system remotely. However this command by itself
+does a limited job (80's bandwith FTW) to collect more information about the target, making the
+process of debugging more cumbersome. GEF greatly improves that state with the gef-remote command.
📝 Note: If using GEF, gef-remote must be your way or debugging remote processes, never
+target remote. Maintainers will not provide support or help if you decide to use the traditional
+target remote command. For many reasons, you cannot use target remote alone with GEF.
gef-remote can function in 2 ways:
+- remote which is meant to enrich use of GDB target remote command, when connecting to a "real"
+ gdbserver instance
+- qemu-mode when connecting to GDB stab of either qemu-user or qemu-system.
The reason for this difference being that Qemu provides a lot less information that GEF can +extract to enrich debugging. Whereas GDBServer allows to download remote file (therefore allowing to +create a small identical environment), GDB stub in Qemu does not support file transfer. As a +consequence, in order to use GEF in qemu mode, it is required to provide the binary being debugged. +GEF will create a mock (limited) environment so that all its most useful features are available.
+remoteIf you want to remotely debug a binary that you already have, you simply need to tell to gdb where
+to find the debug information.
For example, if we want to debug uname, we do on the server:
$ gdbserver :1234 /tmp/default.out
+Process /tmp/default.out created; pid = 258932
+Listening on port 1234
+
On the client, when the original gdb would use target remote, GEF's syntax is roughly similar
+(shown running in debug mode for more verbose output, but you don't have to):
$ gdb -ex 'gef config gef.debug 1'
+GEF for linux ready, type `gef' to start, `gef config' to configure
+90 commands loaded and 5 functions added for GDB 10.2 using Python engine 3.8
+gef➤ gef-remote localhost 1234
+[=] [remote] initializing remote session with localhost:1234 under /tmp/tmp8qd0r7iw
+[=] [remote] Installing new objfile handlers
+[=] [remote] Enabling extended remote: False
+[=] [remote] Executing 'target remote localhost:1234'
+Reading /tmp/default.out from remote target...
+warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
+Reading /tmp/default.out from remote target...
+Reading symbols from target:/tmp/default.out...
+[=] [remote] in remote_objfile_handler(target:/tmp/default.out))
+[=] [remote] downloading '/tmp/default.out' -> '/tmp/tmp8qd0r7iw/tmp/default.out'
+Reading /lib64/ld-linux-x86-64.so.2 from remote target...
+Reading /lib64/ld-linux-x86-64.so.2 from remote target...
+[=] [remote] in remote_objfile_handler(/usr/lib/debug/.build-id/45/87364908de169dec62ffa538170118c1c3a078.debug))
+[=] [remote] in remote_objfile_handler(target:/lib64/ld-linux-x86-64.so.2))
+[=] [remote] downloading '/lib64/ld-linux-x86-64.so.2' -> '/tmp/tmp8qd0r7iw/lib64/ld-linux-x86-64.so.2'
+[=] [remote] in remote_objfile_handler(system-supplied DSO at 0x7ffff7fcd000))
+[*] [remote] skipping 'system-supplied DSO at 0x7ffff7fcd000'
+0x00007ffff7fd0100 in _start () from target:/lib64/ld-linux-x86-64.so.2
+[=] Setting up as remote session
+[=] [remote] downloading '/proc/258932/maps' -> '/tmp/tmp8qd0r7iw/proc/258932/maps'
+[=] [remote] downloading '/proc/258932/environ' -> '/tmp/tmp8qd0r7iw/proc/258932/environ'
+[=] [remote] downloading '/proc/258932/cmdline' -> '/tmp/tmp8qd0r7iw/proc/258932/cmdline'
+[...]
+And finally breaking into the program, showing the current context:
+
You will also notice the prompt has changed to indicate the debugging mode is now "remote". Besides +that, all of GEF features are available:
+
remote-extendedExtended mode works the same as remote. Being an extended session, gdbserver has not spawned or
+attached to any process. Therefore, all that's required is to add the --pid flag when calling
+gef-remote, along with the process ID of the process to debug.
Qemu mode of gef-remote allows to connect to the Qemu GDB
+stub which allows to live debug into either a
+binary (qemu-user) or even the kernel (qemu-system), of any architecture supported by GEF, which
+makes now even more sense 😉 And using it is very straight forward.
qemu-userqemu-x86_64 :1234 /bin/ls--qemu-user and --qemu-binary /bin/ls when starting gef-remote
qemu-systemTo test locally, you can use the mini image linux x64 vm
+here.
+ 1. Run ./run.sh
+ 2. Use --qemu-user and --qemu-binary vmlinuz when starting gef-remote
gefDisplays a list of GEF commands and their descriptions.
+gef➤ gef
+─────────────────────────────────── GEF - GDB Enhanced Features ───────────────────────────────────
+$ -- SmartEval: Smart eval (vague approach to mimic WinDBG `?`).
+aslr -- View/modify the ASLR setting of GDB. By default, GDB will disable ASLR when it starts the process. (i.e. not
+ attached). This command allows to change that setting.
+assemble -- Inline code assemble. Architecture can be set in GEF runtime config (default x86-32). (alias: asm)
+bincompare -- BincompareCommand: compare an binary file with the memory position looking for badchars.
+bytearray -- BytearrayCommand: Generate a bytearray to be compared with possible badchars.
+
+[...snip...]
+
+GEF is fully battery-included. However in some rare cases, it is possible that not all commands be
+loaded. If that's the case the command gef missing will detail which command failed to load, along
+with a (likely) reason. Read the documentation for a solution, or reach out on the Discord.
gef➤ gef missing
+[*] Command `XXXX` is missing, reason → YYYYY.
+Allows the user to set/view settings for the current debugging session. For making the changes
+persistent see the gef save entry.
Using gef config by itself just shows all of the available settings and their values.
gef➤ gef config
+──────────────────────────────────── GEF configuration settings ────────────────────────────────────
+context.clear_screen (bool) = False
+context.enable (bool) = True
+context.grow_stack_down (bool) = False
+context.ignore_registers (str) = ""
+context.layout (str) = "-code -stack"
+context.libc_args (bool) = False
+
+[...snip...]
+
+To filter the config settings you can use gef config [setting].
gef➤ gef config theme
+─────────────────────────── GEF configuration settings matching 'theme' ───────────────────────────
+theme.context_title_line (str) = "gray"
+theme.context_title_message (str) = "cyan"
+theme.default_title_line (str) = "gray"
+theme.default_title_message (str) = "cyan"
+
+[...snip...]
+
+You can use gef config [setting] [value] to set a setting for the current session (see example
+below).
gef➤ gef config theme.address_stack blue
+The gef save command saves the current settings (set with gef config) to the user's ~/.gef.rc
+file (making the changes persistent).
gef➤ gef save
+[+] Configuration saved to '/home/michael/.gef.rc'
+Using gef restore loads and applies settings from the ~/.gef.rc file to the current session.
+This is useful if you are modifying your GEF configuration file and want to see the changes without
+completely reloading GEF.
gef➤ gef restore
+[+] Configuration from '/home/michael/.gef.rc' restored
+The GEF set command allows the user to use GEF context within GDB set commands. This is useful when +you want to make a convenient variable which can be set and referenced later.
+gef➤ gef set $a=1
+The GEF run command is a wrapper around GDB's run command, allowing the user to use GEF context +within the command.
+gef➤ gef run ./binary
+gef install allows to install one (or more) specific script(s) from gef-extras. The new scripts
+will be downloaded and sourced to be used immediately after by GEF. The syntax is straight forward:
gef➤ gef install SCRIPTNAME1 [SCRIPTNAME2...]
+Where SCRIPTNAME1 ... are the names of script from the gef-extras
+repository.
gef➤ gef install remote windbg stack
+[+] Searching for 'remote.py' in `gef-extras@main`...
+[+] Installed file '/tmp/gef/remote.py', new command(s) available: `rpyc-remote`
+[+] Searching for 'windbg.py' in `gef-extras@main`...
+[+] Installed file '/tmp/gef/windbg.py', new command(s) available: `pt`, `hh`, `tt`, `ptc`, `sxe`, `u`, `xs`, `tc`, `pc`, `g`, `r`
+[+] Searching for 'stack.py' in `gef-extras@main`...
+[+] Installed file '/tmp/gef/stack.py', new command(s) available: `current-stack-frame`
+gef➤
+This makes it easier to deploy new functionalities in limited environment. By default, the command
+looks up for script names in the main branch of gef-extras. However you can change specify a
+different branch through the gef.default_branch configuration setting:
gef➤ gef config gef.default_branch dev
+The files will be dowloaded in the path configured in the gef.extra_plugins_dir setting, allowing
+to reload it easily without having to re-download.
gotDisplay the current state of GOT table of the running process.
+The got command optionally takes function names and filters the output displaying only the
+matching functions.
gef➤ got
+
The applied filter partially matches the name of the functions, so you can do something like this.
+gef➤ got str
+gef➤ got print
+gef➤ got read
+
Example of multiple partial filters:
+gef➤ got str get
+
heap-analysis-helperPlease note: This feature is still under development, expect bugs and unstability.
+heap-analysis-helper command aims to help the process of idenfitying Glibc heap inconsistencies by
+tracking and analyzing allocations and deallocations of chunks of memory.
Currently, the following issues can be tracked:
+The helper can simply be activated by running the command heap-analysis-helper.
gef➤ heap-analysis
+[+] Tracking malloc()
+[+] Tracking free()
+[+] Disabling hardware watchpoints (this may increase the latency)
+[+] Dynamic breakpoints correctly setup, GEF will break execution if a possible vulnerabity is found.
+[+] To disable, clear the malloc/free breakpoints (`delete breakpoints`) and restore hardware breakpoints (`set can-use-hw-watchpoints 1`)
+The helper will create specifically crafted breakoints to keep tracks of allocation, which allows to
+discover potential vulnerabilities. Once activated, one can disable the heap analysis breakpoints
+simply by clearing the __GI___libc_free() et __GI___libc_malloc(). It is also possible to
+enable/disable manually punctual checks via the gef config command.
The following settings are accepted:
+check_null_free: to break execution when a free(NULL) is encountered (disabled by default);check_double_free: to break execution when a double free is encountered;
check_weird_free: to execution when free() is called against a non-tracked pointer;check_uaf: to break execution when a possible Use-after-Free condition is found.
Just like the format string vulnerability helper, the heap-analysis-helper can fail to detect
+complex heap scenarios and/or provide some false positive alerts. Each finding must of course be
+ascertained manually.
The heap-analysis-helper can also be used to simply track allocation and liberation of chunks of
+memory. One can simply enable the tracking by setting all the configurations stated above to False:
gef➤ gef config heap-analysis-helper.check_double_free False
+gef➤ gef config heap-analysis-helper.check_free_null False
+gef➤ gef config heap-analysis-helper.check_weird_free False
+gef➤ gef config heap-analysis-helper.check_uaf False
+Then gef will not notify you of any inconsistency detected, but simply display a clear message
+when a chunk is allocated/freed.
To get information regarding the currently tracked chunks, use the show subcommand:
gef➤ heap-analysis-helper show
+
heapThe heap command provides information on the heap chunk specified as argument. For the moment, it
+only supports GlibC heap format (see this
+link for malloc
+structure information). Syntax to the subcommands is straight forward:
gef➤ heap <sub_commands>
+main_arena symbolIf the linked glibc of the target program does not have debugging symbols it might be tricky for GEF
+to find the address of the main_arena which is needed for most of the heap subcommands. If you
+know the offset of this symbol from the glibc base address you can use GEF's config to provide said
+value:
gef➤ gef config gef.main_arena_offset <offset>
+If you do not know this offset and you want GEF to try and find it via bruteforce when executing a
+heap command the next time, you can try this instead:
gef➤ gef config gef.bruteforce_main_arena True
+Note that this might take a few seconds to complete. If GEF does find the symbol you can then +calculate the offset to the libc base address and save it in the config.
+heap chunks commandDisplays all the chunks from the heap section of the current arena.
gef➤ heap chunks
+
To select from which arena to display chunks either use the heap set-arena command or provide the
+base address of the other arena like this:
gef➤ heap chunks [arena_address]
+
In order to display the chunks of all the available arenas at once use
+gef➤ heap chunks -a
+
Because usually the heap chunks are aligned to a certain number of bytes in memory GEF automatically
+re-aligns the chunks data start addresses to match Glibc's behavior. To be able to view unaligned
+chunks as well, you can disable this with the --allow-unaligned flag. Note that this might result
+in incorrect output.
heap chunk commandThis command gives visual information of a Glibc malloc-ed chunked. Simply provide the address to +the user memory pointer of the chunk to show the information related to a specific chunk:
+gef➤ heap chunk [address]
+
Because usually the heap chunks are aligned to a certain number of bytes in memory GEF automatically
+re-aligns the chunks data start addresses to match Glibc's behavior. To be able to view unaligned
+chunks as well, you can disable this with the --allow-unaligned flag. Note that this might result
+in incorrect output.
There is an optional number argument, to specify the number of chunks printed by this command. To
+do so, simply provide the --number argument:
gef➤ heap chunk --number 6 0x4e5400
+Chunk(addr=0x4e5400, size=0xd0, flags=PREV_INUSE)
+Chunk(addr=0x4e54d0, size=0x1a0, flags=PREV_INUSE)
+Chunk(addr=0x4e5670, size=0x200, flags=PREV_INUSE)
+Chunk(addr=0x4e5870, size=0xbc0, flags=PREV_INUSE)
+Chunk(addr=0x4e6430, size=0x330, flags=PREV_INUSE)
+Chunk(addr=0x4e6760, size=0x4c0, flags=PREV_INUSE)
+
+heap arenas commandMulti-threaded programs have different arenas, and the knowledge of the main_arena is not enough.
+gef therefore provides the arena sub-commands to help you list all the arenas allocated in your
+program at the moment you call the command.
heap set-arena commandIn cases where the debug symbol are not present (e.g. statically stripped binary), it is possible to
+instruct GEF to find the main_arena at a different location with the command:
gef➤ heap set-arena [address]
+If the arena address is correct, all heap commands will be functional, and use the specified
+address for main_arena.
heap bins commandGlibc uses bins for keeping tracks of freed chunks. This is because making allocations through
+sbrk (requiring a syscall) is costly. Glibc uses those bins to remember formerly allocated chunks.
+Because bins are structured in single or doubly linked list, I found that quite painful to always
+interrogate gdb to get a pointer address, dereference it, get the value chunk, etc... So I decided
+to implement the heap bins sub-command, which allows to get info on:
fastbinsbinsunsortedsmall binslarge binstcachebinsheap bins fast commandWhen exploiting heap corruption vulnerabilities, it is sometimes convenient to know the state of the
+fastbinsY array.
The fast sub-command helps by displaying the list of fast chunks in this array. Without any other
+argument, it will display the info of the main_arena arena. It accepts an optional argument, the
+address of another arena (which you can easily find using heap arenas).
gef➤ heap bins fast
+──────────────────────── Fastbins for arena 0x7ffff7fb8b80 ────────────────────────
+Fastbins[idx=0, size=0x20] ← Chunk(addr=0x555555559380, size=0x20, flags=PREV_INUSE)
+Fastbins[idx=1, size=0x30] 0x00
+Fastbins[idx=2, size=0x40] 0x00
+Fastbins[idx=3, size=0x50] 0x00
+Fastbins[idx=4, size=0x60] 0x00
+Fastbins[idx=5, size=0x70] 0x00
+Fastbins[idx=6, size=0x80] 0x00
+heap bins X commandAll the other subcommands (with the exception of tcache) for the heap bins work the same way as
+fast. If no argument is provided, gef will fall back to main_arena. Otherwise, it will use the
+address pointed as the base of the malloc_state structure and print out information accordingly.
heap bins tcache commandModern versions of glibc use tcache bins to speed up multithreaded programs. Unlike other bins,
+tcache bins are allocated on a per-thread basis, so there is one set of tcache bins for each
+thread.
gef➤ heap bins tcache [all] [thread_ids...]
+Without any arguments, heap bins tcache will display the tcache for the current thread. heap
+bins tcache all will show the tcaches for every thread, or you can specify any number of thread
+ids to see the tcache for each of them. For example, use the following command to show the
+tcache bins for threads 1 and 2.
gef➤ heap bins tcache 1 2
+gef helpDisplays the help menu for the loaded GEF commands.
+gef➤ gef help
+hexdumpImitation of the WinDBG command.
+This command takes 4 optional arguments:
+hexdump byte will also try to display the ASCII character values if the byte is printable
+(similarly to the hexdump -C command on Linux).
The syntax is as following:
+hexdump (qword|dword|word|byte) [-h] [--reverse] [--size SIZE] [address]
+Examples:
+$pc:gef➤ hexdump qword $pc --size 4
+0x7ffff7a5c1c0+0000 │ 0x4855544155415641
+0x7ffff7a5c1c0+0008 │ 0x0090ec814853cd89
+0x7ffff7a5c1c0+0010 │ 0x377d6f058b480000
+0x7ffff7a5c1c0+0018 │ 0x748918247c894800
+gef➤ hexdump byte 0x00007fffffffe5e5 --size 32
+0x00007fffffffe5e5 2f 68 6f 6d 65 2f 68 75 67 73 79 2f 63 6f 64 65 /home/hugsy/code
+0x00007fffffffe5f5 2f 67 65 66 2f 74 65 73 74 73 2f 77 69 6e 00 41 /gef/tests/win.A
+$sp in reverse order:gef➤ hexdump word 8 --reverse
+0x00007fffffffe0ee│+0x000e 0x0000
+0x00007fffffffe0ec│+0x000c 0x7fff
+0x00007fffffffe0ea│+0x000a 0xffff
+0x00007fffffffe0e8│+0x0008 0xe3f5
+0x00007fffffffe0e6│+0x0006 0x0000
+0x00007fffffffe0e4│+0x0004 0x0000
+0x00007fffffffe0e2│+0x0002 0x0000
+0x00007fffffffe0e0│+0x0000 0x0001
+highlightThis command sets up custom highlighting for user set strings.
+Syntax:
+highlight (add|remove|list|clear)
+Alias:
+hlThe following will add 41414141/'AAAA' as yellow, and 42424242/'BBBB'
+as blue:
gef➤ hl add 41414141 yellow
+gef➤ hl add 42424242 blue
+gef➤ hl add AAAA yellow
+gef➤ hl add BBBB blue
+To remove a match, target it by the original string used, ex.:
+gef➤ hl rm 41414141
+To list all matches with their colors:
+gef➤ hl list
+41414141 | yellow
+42424242 | blue
+AAAA | yellow
+BBBB | blue
+To clear all matches currently setup:
+gef➤ hl clear
+RegEx support is disabled by default, this is done for performance reasons.
+To enable regular expressions on text matches:
+gef➤ gef config highlight.regex True
+To check the current status:
+gef➤ gef config highlight.regex
+highlight.regex (bool) = True
+NOTE: Adding many matches may slow down debugging while using GEF. This includes enabling RegEx +support.
+To find a list of supported colors, check the theme documentation.
+ + + + + + +hijack-fdgef can be used to modify file descriptors of the debugged process. The new
+file descriptor can point to a file, a pipe, a socket, a device etc.
To use it, simply run
+gef➤ hijack-fd FDNUM NEWFILE
+For instance,
+gef➤ hijack-fd 1 /dev/null
+Will modify the current process file descriptors to redirect STDOUT to
+/dev/null.
This command also supports connecting to an ip:port if it is provided as an +argument. For example
+gef➤ hijack-fd 0 localhost:8888
+Will redirect STDIN to localhost:8888
+Check out the tutorial on GEF's YouTube channel:
+
ksymaddrksymaddr helps locate a kernel symbol by its name.
The syntax is straight forward:
+ksymaddr <PATTERN>
+For example,
+gef➤ ksymaddr commit_creds
+[+] Found matching symbol for 'commit_creds' at 0xffffffff8f495740 (type=T)
+[*] Found partial match for 'commit_creds' at 0xffffffff8f495740 (type=T): commit_creds
+[*] Found partial match for 'commit_creds' at 0xffffffff8fc71ee0 (type=R): __ksymtab_commit_creds
+[*] Found partial match for 'commit_creds' at 0xffffffff8fc8d008 (type=r): __kcrctab_commit_creds
+[*] Found partial match for 'commit_creds' at 0xffffffff8fc9bfcd (type=r): __kstrtab_commit_creds
+Note that the debugging process needs to have the correct permissions for this command to show +kernel addresses. For more information see also this stackoverflow +post.
+ + + + + + +memoryAs long as the 'memory' section is enabled in your context layout (which it is by default), you can +register addresses, lengths, and grouping size.
+
Note: this command shoud NOT be mistaken with the GDB watch
+command meant to set
+breakpoints on memory access (read,write,exec).
Specify a location to watch and display with the context, along with their optional size and format:
+Syntax:
+memory watch <ADDRESS> [SIZE] [(qword|dword|word|byte|pointers)]
+If the format specified is pointers, then the output will be similar to executing the command
+dereference $address. For all other format, the output will be an hexdump of the designated
+location.
Note that the address format is a GDB therefore a symbol can be passed to it. It also supports GEF +functions +format +allowing to easily track commonly used addresses:
+For example, to watch the first 5 entries of the GOT as pointers:
+gef ➤ memory watch $_got()+0x18 5
+[+] Adding memwatch to 0x555555773c50
+Which, when the context is displayed, will show something like:
Remove a watched address. To list all the addresses being watched, use memory list.
Syntax:
+memory unwatch <ADDRESS>
+Enumerate all the addresses currently watched by the memory command.
Syntax:
+memory list
+The command will output a list of all the addresses watched, along with the size and format to display them as.
+Empties the list of addresses to watch.
+Syntax:
+memory reset
+name-breakThe command name-break (alias nb) can be used to set a breakpoint on a location with a name
+assigned to it.
Every time this breakpoint is hit, the specified name will also be shown in the extra section to
+make it easier to keep an overview when using multiple breakpoints in a stripped binary.
name-break name [address]
address may be a linespec, address, or explicit location, same as specified for break. If
+address isn't specified, it will create the breakpoint at the current instruction pointer address.
Examples:
+nb first *0x400ec0nb "main func" mainnb read_secret *main+149nb check_heapExample output:
+─────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400e04 add eax, 0xfffbe6e8
+ 0x400e09 dec ecx
+ 0x400e0b ret
+ → 0x400e0c push rbp
+ 0x400e0d mov rbp, rsp
+ 0x400e10 sub rsp, 0x50
+ 0x400e14 mov QWORD PTR [rbp-0x48], rdi
+ 0x400e18 mov QWORD PTR [rbp-0x50], rsi
+ 0x400e1c mov rax, QWORD PTR fs:0x28
+───────────────────────────────────────────────────────────────────────────────── stack ────
+0x00007fffffffe288│+0x0000: 0x0000000000401117 → movzx ecx, al ← $rsp
+0x00007fffffffe290│+0x0008: 0x00007fffffffe4b8 → 0x00007fffffffe71d → "/ctf/t19/srv_copy"
+0x00007fffffffe298│+0x0010: 0x0000000100000000
+0x00007fffffffe2a0│+0x0018: 0x0000000000000000
+0x00007fffffffe2a8│+0x0020: 0x0000000000000004
+0x00007fffffffe2b0│+0x0028: 0x0000000000000000
+───────────────────────────────────────────────────────────────────────────────── extra ────
+[+] Hit breakpoint *0x400e0c (check_entry)
+────────────────────────────────────────────────────────────────────────────────────────────
+gef➤
+nopThe nop command allows you to easily patch instructions with nops.
nop [LOCATION] [--i ITEMS] [--f] [--n] [--b]
+LOCATION address/symbol to patch (by default this command replaces whole instructions)
--i ITEMS number of items to insert (default 1)
--f Force patch even when the selected settings could overwrite partial instructions
--n Instead of replacing whole instructions, insert ITEMS nop instructions, no matter how many
+instructions it overwrites
--b Instead of replacing whole instructions, fill ITEMS bytes with nops
nop the current instruction ($pc):
+gef➤ nop
+nop an instruction at $pc+3 address:
+gef➤ nop $pc+3
+nop two instructions at address $pc+3:
+gef➤ nop --i 2 $pc+3
+Replace 1 byte with nop at current instruction ($pc):
+gef➤ nop --b
+Replace 1 byte with nop at address $pc+3:
+gef➤ nop --b $pc+3
+Replace 2 bytes with nop(s) (breaking the last instruction) at address $pc+3:
+gef➤ nop --f --b --i 2 $pc+3
+Patch 2 nops at address $pc+3:
+gef➤ nop --n --i 2 $pc+3
+patchpatch lets you easily patch the specified values to the specified address.
gef➤ patch byte $eip 0x90
+gef➤ patch string $eip "cool!"
+These commands copy the first 10 bytes of $rsp+8 to $rip:
+gef➤ print-format --lang bytearray -l 10 $rsp+8
+Saved data b'\xcb\xe3\xff\xff\xff\x7f\x00\x00\x00\x00'... in '$_gef0'
+gef➤ patch byte $rip $_gef0
+Very handy to copy-paste-execute shellcodes/data from different memory regions.
+ + + + + + +patternThis command will create or search a De Bruijn +cyclic pattern to facilitate determining offsets in memory. The sequence consists of a number of +unique substrings of a chosen length.
+It should be noted that for better compatibility, the algorithm implemented in GEF is the same as
+the one in pwntools, and can therefore be used in conjunction.
pattern createpattern create [-h] [-n N] [length]
+The sub-command create allows one create a new De Bruijn sequence. The optional argument n
+determines the length of unique subsequences. Its default value matches the currently loaded
+architecture. The length argument sets the total length of the whole sequence.
gef➤ pattern create -n 4 128
+[+] Generating a pattern of 128 bytes (n=4)
+aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaab
+[+] Saved as '$_gef0'
+The equivalent command with pwntools is
from pwn import *
+p = cyclic(128, n=8)
+pattern searchpattern search [-h] [-n N] [--max-length MAX_LENGTH] [pattern]
+The search sub-command seeks the pattern given as argument, trying to find its offset in the De
+Bruijn sequence. The optional argument n determines the length of unique subsequences, and it
+should usually match the length of pattern. Using MAX_LENGTH the maximum length of the sequence
+to search in can be adjusted.
Note that the pattern can be passed as a GDB symbol (such as a register name), a string or a
+hexadecimal value
gef➤ pattern search 0x6161616161616167
+[+] Searching '0x6161616161616167'
+[+] Found at offset 48 (little-endian search) likely
+[+] Found at offset 41 (big-endian search)
+gef➤ pattern search $rbp
+[+] Searching '$rbp'
+[+] Found at offset 32 (little-endian search) likely
+[+] Found at offset 25 (big-endian search)
+gef➤ pattern search aaaaaaac
+[+] Searching for 'aaaaaaac'
+[+] Found at offset 16 (little-endian search) likely
+[+] Found at offset 9 (big-endian search)
+pcustomgef provides a way to create and apply to the currently debugged environment, any new structure
+(in the C-struct way). On top of simply displaying known and user-defined structures, it also allows
+to apply those structures to the current context. It intends to mimic the very useful WinDBG
+dt command.
This is achieved via the command pcustom (for print custom), or you can use its alias, dt (in
+reference to the WinDBG command) as provided by the WinDbg compatibility
+extension
New structures can be stored in the location given by the configuration setting:
+gef➤ gef config pcustom.struct_path
+By default, this location is in $TEMP/gef/structs (e.g. /tmp/user/1000/gef/structs). The
+structure can be created as a simple ctypes structure, in a file called <struct_name>.py.
You can naturally set this path to a new location
+gef➤ gef config pcustom.struct_path /my/new/location
+And save this change so you can re-use it directly next time you use gdb
gef➤ gef save
+[+] Configuration saved to '~/.gef.rc'
+You can list existing custom structures via
+gef➤ pcustom list
+[+] Listing custom structures from '/tmp/structs'
+ → /tmp/structs/A.py (A, B)
+ → /tmp/structs/elf32_t.py (elf32_t)
+ → /tmp/structs/elf64_t.py (elf64_t)
+[...]
+To create or edit a structure, use pcustom edit <struct_name> to spawn your EDITOR with the
+targeted structure. If the file does not exist, gef will nicely create the tree and file, and fill
+it with a ctypes template that you can use straight away!
gef➤ pcustom new mystruct_t
+[+] Creating '/tmp/gef/structs/mystruct_t.py' from template
+If the structure already exists, GEF will open the text editor to edit the known structure. This is +equivalent to:
+gef➤ pcustom edit elf32_t
+[+] Editing '/home/hugsy/code/gef-extras/structs/elf32_t.py'
+ctypes.Structure-like classesThe code can be defined just as any Python (using ctypes) code.
from ctypes import *
+
+'''
+typedef struct {
+ int age;
+ char name[256];
+ int id;
+} person_t;
+'''
+
+class person_t(Structure):
+ _fields_ = [
+ ("age", c_int),
+ ("name", c_char * 256),
+ ("id", c_int),
+ ]
+
+ _values_ = [
+ # You can define a function to substitute the value
+ ("age", lambda age: "Old" if age > 40 else "Young"),
+ # Or alternatively a list of 2-tuples
+ ("id", [
+ (0, "root"),
+ (1, "normal user"),
+ (None, "Invalid person")
+ ])
+ ]
+pcustom requires at least one argument, which is the name of the structure. With only one
+argument, pcustom will dump all the fields of this structure.
gef➤ dt person_t
++0000 age c_int /* size=0x4 */
++0004 name c_char_Array_256 /* size=0x100 */
++0104 id c_int /* size=0x4 */
+By providing an address or a GDB symbol, gef will apply this user-defined structure to the
+specified address:
This means that we can now create very easily new user-defined structures
+For a full demo, watch the following tutorial:
+
Additionally, if you have successfully configured your IDA settings, you can also directly import
+the structure(s) that was(were) reverse-engineered in IDA directly in your GDB session:
+
- (see gef-extras/ida-rpyc, which is the new improved version of ida-interact)
ctypes.Structure-like classespcustom also supports the use of class factories to create a ctypes.Structure class whose
+structure will be adjusted based on the runtime information we provide (information about the
+currently debugged binary, the architecture, the size of a pointer and more).
The syntax is relatively close to the way we use to create static classes (see above), but instead
+we define a function that will generate the class. The requirements for this class factory are:
+- take a single Gef positional
+ argument
+- End the function name with _t
To continue the person_t function we defined in the example above, we could modify the static
+class as a dynamic one very easily:
import ctypes
+from typing import Optional
+
+def person_t(gef: Optional["Gef"]=None):
+ fields = [
+ ("age", ctypes.c_int),
+ ("name", ctypes.c_char * 256),
+ ("id", ctypes.c_int),
+ ]
+
+ class person_cls(ctypes.Structure):
+ _fields_ = fields
+
+ return person_cls
+Thanks to the gef parameter, the structure can be transparently adjusted so that GEF will parse it
+differently with its runtime information. For example, we can add constraints to the example above:
import ctypes
+from typing import Optional
+
+def person_t(gef: Optional["Gef"]==None):
+ fields = [
+ ("age", ctypes.c_uint8),
+ ("name", ctypes.c_char * 256),
+ ("id", ctypes.c_uint8),
+ ]
+
+ # constraint on the libc version
+ if gef.libc.version > (2, 27):
+ # or on the pointer size
+ pointer_type = ctypes.c_uint64 if gef.arch.ptrsize == 8 else ctypes.c_uint32
+ fields += [
+ ("new_field", pointer_size)
+ ]
+
+ class person_cls(ctypes.Structure):
+ _fields_ = fields
+
+ return person_cls
+A community contributed repository of structures can be found in
+gef-extras. To deploy it:
In bash:
+$ git clone https://github.com/hugsy/gef-extras
+In GEF:
+gef➤ gef config pcustom.struct_path /path/to/gef-extras/structs
+gef➤ gef save
+Then either close GDB or gef reload. You can confirm the structures were correctly loaded in GEF's
+prompt:
gef➤ pcustom list
+Should return several entries.
+And remember this is collaborative repository, so feel free to contribute too!
+ + + + + + +pieThe pie command is handy when working with position-independent executables. At runtime, it can
+automatically resolve addresses for breakpoints that are not static.
Note that you need to use the entire pie command series to support PIE breakpoints, especially
+the "pie run commands", like pie attach, pie run, etc.
pie breakpoint commandThis command sets a new PIE breakpoint. It can be used like the normal breakpoint command in gdb.
+The argument for the command is the offset from the base address or a symbol. The breakpoints will
+not be set immediately after this command. Instead, it will be set when you use pie attach, pie
+run or pie remote to actually attach to a process, so it can resolve the right base address.
Usage:
+gef➤ pie breakpoint OFFSET
+pie info commandSince a PIE breakpoint is not a real breakpoint, this command provides a way to observe the state of +all PIE breakpoints.
+This works just like info breakpoint in gdb.
gef➤ pie info
+VNum Num Addr
+1 N/A 0xdeadbeef
+VNum stands for virtual number and is used to enumerate the PIE breakpoints. Num is the number of +the associated real breakpoints at runtime in GDB.
+You can omit the VNum argument to get info on all PIE breakpoints.
+Usage:
+gef➤ pie info [VNum]
+
+pie delete commandThis command deletes a PIE breakpoint given its VNum.
+Usage:
+gef➤ pie delete [VNum]
+pie attach commandThis command behaves like GDB's attach command. Always use this command instead of attach if you
+have PIE breakpoints. This will convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as attach.
pie remote commandThis command behaves like GDB's remote command. Always use this command instead of remote if you
+have PIE breakpoints. Behind the scenes this will connect to the remote target using gef remote
+and then convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as remote.
pie run commandThis command behaves like GDB's run command. Always use this command instead of run if you have
+PIE breakpoints. This will convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as run.
print-formatThe command print-format (alias pf) will dump an arbitrary location as an array of bytes
+following the format specified. Currently, the output formats supported are
py - default)c)asm)js)hex)bytearray)gef➤ print-format -h
+[+] print-format [--lang LANG] [--bitlen SIZE] [(--length,-l) LENGTH] [--clip] LOCATION
+ --lang LANG specifies the output format for programming language (available: ['py', 'c', 'js', 'asm', 'hex'], default 'py').
+ --bitlen SIZE specifies size of bit (possible values: [8, 16, 32, 64], default is 8).
+ --length LENGTH specifies length of array (default is 256).
+ --clip The output data will be copied to clipboard
+ LOCATION specifies where the address of bytes is stored.
+For example this command will dump 10 bytes from $rsp and copy the result to the clipboard.
gef➤ print-format --lang py --bitlen 8 -l 10 --clip $rsp
+[+] Copied to clipboard
+buf = [0x87, 0xfa, 0xa3, 0xf7, 0xff, 0x7f, 0x0, 0x0, 0x30, 0xe6]
+These commands copy the first 10 bytes of $rsp+8 to $rip:
+gef➤ print-format --lang bytearray -l 10 $rsp+8
+Saved data b'\xcb\xe3\xff\xff\xff\x7f\x00\x00\x00\x00'... in '$_gef0'
+gef➤ display/x $_gef0[5]
+4: /x $_gef0[5] = 0x7f
+gef➤ patch byte $rip $_gef0
+Very handy to copy-paste-execute shellcodes/data from different memory regions.
+ + + + + + +process-searchprocess-search (aka ps) is a convenience command to list and filter process on the host. It is
+aimed at making the debugging process a little easier when targeting forking process (such as
+tcp/listening daemon that would fork upon accept()).
Without argument, it will return all processes reachable by user:
+gef➤ ps
+1 root 0.0 0.4 ? /sbin/init
+2 root 0.0 0.0 ? [kthreadd]
+3 root 0.0 0.0 ? [ksoftirqd/0]
+4 root 0.0 0.0 ? [kworker/0:0]
+5 root 0.0 0.0 ? [kworker/0:0H]
+6 root 0.0 0.0 ? [kworker/u2:0]
+7 root 0.0 0.0 ? [rcu_sched]
+8 root 0.0 0.0 ? [rcuos/0]
+9 root 0.0 0.0 ? [rcu_bh]
+10 root 0.0 0.0 ? [rcuob/0]
+11 root 0.0 0.0 ? [migration/0]
+[...]
+Or to filter with pattern:
+gef➤ ps bash
+22590 vagrant 0.0 0.8 pts/0 -bash
+Note: Use "\" for escaping and "\\" for a literal backslash" in the pattern.
+ps also accepts options:
--smart-scan will filter out probably less relevant processes (belonging to different users,
+ pattern matched to arguments instead of the commands themselves, etc.)--attach will automatically attach to the first process foundSo, for example, if your targeted process is called /home/foobar/plop, but the existing instance
+is used through socat, like
$ socat tcp-l:1234,fork,reuseaddr exec:/home/foobar/plop
+Then every time a new connection is opened to tcp/1234, plop will be forked, and GEF can easily
+attach to it with the command
gef➤ ps --attach --smart-scan plop
+process-status++This command replaces the old commands
+pidandfd.
process-status provides an exhaustive description of the current running process, by extending the
+information provided by GDB info proc command, with all the information from the procfs
+structure.
gef➤ ps --smart-scan zsh
+22879
+gef➤ attach 22879
+[...]
+gef➤ status
+[+] Process Information
+ PID → 22879
+ Executable → /bin/zsh
+ Command line → '-zsh'
+[+] Parent Process Information
+ Parent PID → 4475
+ Command line → 'tmux new -s cool vibe
+[+] Children Process Information
+ PID → 26190 (Name: '/bin/sleep', CmdLine: 'sleep 100000')
+[+] File Descriptors:
+ /proc/22879/fd/0 → /dev/pts/4
+ /proc/22879/fd/1 → /dev/pts/4
+ /proc/22879/fd/2 → /dev/pts/4
+ /proc/22879/fd/10 → /dev/pts/4
+[+] File Descriptors:
+ No TCP connections
+registersThe registers command will print all the registers and dereference any pointers.
Example on a MIPS host:
+gef➤ reg
+$zero : 0x00000000
+$at : 0x00000001
+$v0 : 0x7fff6cd8 -> 0x77e5e7f8 -> <__libc_start_main+200>: bnez v0,0x77e5e8a8
+$v1 : 0x77ff4490
+$a0 : 0x00000001
+$a1 : 0x7fff6d94 -> 0x7fff6e85 -> "/root/demo-mips"
+$a2 : 0x7fff6d9c -> 0x7fff6e91 -> "SHELL=/bin/bash"
+$a3 : 0x00000000
+$t0 : 0x77fc26a0 -> 0x0
+$t1 : 0x77fc26a0 -> 0x0
+$t2 : 0x77fe5000 -> "_dl_fini"
+$t3 : 0x77fe5000 -> "_dl_fini"
+$t4 : 0xf0000000
+$t5 : 0x00000070
+$t6 : 0x00000020
+$t7 : 0x7fff6bc8 -> 0x0
+$s0 : 0x00000000
+$s1 : 0x00000000
+$s2 : 0x00000000
+$s3 : 0x00500000
+$s4 : 0x00522f48
+$s5 : 0x00522608
+$s6 : 0x00000000
+$s7 : 0x00000000
+$t8 : 0x0000000b
+$t9 : 0x004008b0 -> <main>: addiu sp,sp,-32
+$k0 : 0x00000000
+$k1 : 0x00000000
+$s8 : 0x00000000
+$status : 0x0000a413
+$badvaddr : 0x77e7a874 -> <__cxa_atexit>: lui gp,0x15
+$cause : 0x10800024
+$pc : 0x004008c4 -> <main+20>: li v0,2
+$sp : 0x7fff6ca0 -> 0x77e4a834 -> 0x29bd
+$hi : 0x000001a5
+$lo : 0x00005e17
+$fir : 0x00739300
+$fcsr : 0x00000000
+$ra : 0x77e5e834 -> <__libc_start_main+260>: lw gp,16(sp)
+$gp : 0x00418b20
+If one or more register names are passed to the registers command as optional arguments, then only
+those will be shown:
gef➤ reg $rax $rip $rsp
+$rax : 0x0000555555555169 → <main+0> endbr64
+$rsp : 0x00007fffffffe3e8 → 0x00007ffff7df40b3 → <__libc_start_main+243> mov edi, eax
+$rip : 0x0000555555555169 → <main+0> endbr64
+reset-cacheThis command is only useful for debugging GEF itself.
scanscan searches for addresses of one memory region (needle) inside another region (haystack) and
+lists all results.
Usage:
+gef➤ scan NEEDLE HAYSTACK
+scan requires two arguments, the first is the memory section that will be searched and the second
+is what will be searched for. The arguments are grepped against the process's memory mappings (just
+like vmmap) to determine the memory ranges to search.
gef➤ scan stack libc
+[+] Searching for addresses in 'stack' that point to 'libc'
+[stack]: 0x00007fffffffd6a8│+0x1f6a8: 0x00007ffff77cf482 → "__tunable_get_val"
+[stack]: 0x00007fffffffd6b0│+0x1f6b0: 0x00007ffff77bff78 → 0x0000001200001ab2
+[stack]: 0x00007fffffffd758│+0x1f758: 0x00007ffff77cd9d0 → 0x6c5f755f72647800
+[stack]: 0x00007fffffffd778│+0x1f778: 0x00007ffff77bda6c → 0x0000090900000907
+[stack]: 0x00007fffffffd7d8│+0x1f7d8: 0x00007ffff77cd9d0 → 0x6c5f755f72647800
+[...]
+To check mappings without a path associated, an address range (start-end) can be used. Note that +ranges don't include whitespaces.
+
search-patterngef allows you to search for a specific pattern at runtime in all the segments of your process
+memory layout. The command search-pattern, alias grep, aims to be straight-forward to use:
gef➤ search-pattern MyPattern
+
It will provide an easily understandable to spot occurrences of the specified pattern, including the +section it/they was/were found, and the permission associated to that section.
+search-pattern can also be used to search for addresses. To do so, simply ensure that your pattern
+starts with 0x and is a valid hex address. For example:
gef➤ search-pattern 0x4005f6
+
The search-pattern command can also be used as a way to search for cross-references to an address.
+For this reason, the alias xref also points to the command search-pattern. Therefore the
+command above is equivalent to xref 0x4005f6 which makes it more intuitive to use.
Sometimes, you may need to search for a very common pattern. To limit the search space, you can also +specify an address range or the section to be checked.
+gef➤ search-pattern 0x4005f6 little libc
+gef➤ search-pattern 0x4005f6 little 0x603100-0x603200
+Sometimes, you may need an advanced search using regex. Just use --regex arg.
+Example: how to find null-end-printable(from x20-x7e) C strings (min size >=2 bytes) with a regex:
+gef➤ search-pattern --regex 0x401000 0x401500 ([\\x20-\\x7E]{2,})(?=\\x00)
+
+shellcodeshellcode is a command line client for @JonathanSalwan shellcodes database. It can be used to
+search and download directly via GEF the shellcode you're looking for. Two primitive subcommands
+are available, search and get
gef➤ shellcode search arm
+[+] Showing matching shellcodes
+901 Linux/ARM Add map in /etc/hosts file - 79 bytes
+853 Linux/ARM chmod("/etc/passwd", 0777) - 39 bytes
+854 Linux/ARM creat("/root/pwned", 0777) - 39 bytes
+855 Linux/ARM execve("/bin/sh", [], [0 vars]) - 35 bytes
+729 Linux/ARM Bind Connect UDP Port 68
+730 Linux/ARM Bindshell port 0x1337
+[...]
+gef➤ shellcode get 698
+[+] Downloading shellcode id=698
+[+] Shellcode written as '/tmp/sc-EfcWtM.txt'
+gef➤ system cat /tmp/sc-EfcWtM.txt
+/*
+Title: Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 27 bytes
+Date: 2010-09-05
+Tested on: ARM926EJ-S rev 5 (v5l)
+Author: Jonathan Salwan - twitter: @jonathansalwan
+
+shell-storm.org
+
+Shellcode ARM without 0x20, 0x0a and 0x00
+[...]
+skipiThe skipi command allows you to easily skip instructions execution.
skipi [LOCATION] [--n NUM_INSTRUCTIONS]
+LOCATION address/symbol from where to skip (default is $pc)
--n NUM_INSTRUCTIONS Skip the specified number of instructions instead of the default 1.
gef➤ skipi
+gef➤ skipi --n 3
+gef➤ skipi 0x69696969
+gef➤ skipi 0x69696969 --n 6
+stubThe stub command allows you stub out functions, optionally specifying the return value.
gef➤ stub [-h] [--retval RETVAL] [address]
+address indicates the address of the function to bypass. If not specified, GEF will consider the
+instruction at the program counter to be the start of the function.
If --retval RETVAL is provided, GEF will set the return value to the provided value. Otherwise,
+it will set the return value to 0.
For example, it is trivial to bypass fork() calls. Since the return value is set to 0, it will in
+fact drop us into the "child" process. It must be noted that this is a different behaviour from the
+classic set follow-fork-mode child since here we do not spawn a new process, we only trick the
+parent process into thinking it has become the child.
Patching fork() calls:
themeCustomize GEF by changing its color scheme.
gef➤ theme
+context_title_message : red bold
+default_title_message : red bold
+default_title_line : green bold
+context_title_line : green bold
+disable_color : 0
+xinfo_title_message : blue bold
+You have the possibility to change the coloring properties of GEF display with the theme
+command. The command accepts 2 arguments, the name of the property to update, and its new coloring
+value.
Colors can be one of the following:
+Color also accepts the following attributes:
+Any other will value simply be ignored.
+gef➤ theme context_title_message blue bold foobar
+gef➤ theme
+context_title_message : blue bold
+default_title_message : red bold
+default_title_line : green bold
+context_title_line : green bold
+disable_color : 0
+xinfo_title_message : blue bold
+tmux-setupIn the purpose of always making debugging sessions easier while being more effective, GEF
+integrates two commands:
tmux-setupscreen-setupThose commands will check whether GDB is being spawn from inside a tmux (resp. screen) session,
+and if so, will split the pane vertically, and configure the context to be redirected to the new
+pane, looking something like:
To set it up, simply enter
+gef➤ tmux-setup
+Note: Although screen-setup provides a similar setup, the structure of screen does not allow
+a very clean way to do this. Therefore, if possible, it would be recommended to use the tmux-setup
+command instead.
On Linux tmux only supports 8 colors with some terminal capabilities ($TERM environment variable).
+This can mess up your color themes when using GEF with tmux. To remedy this if your terminal
+supports more colors you can either set the variable to something like TERM=screen-256color or if
+you don't want or can't change that variable you can start tmux with the -2 flag to force tmux
+to use 256 colors.
trace-runThe trace-run command is meant to be provide a visual appreciation directly in IDA disassembler of
+the path taken by a specific execution. It should be used with the IDA script
+ida_color_gdb_trace.py
It will trace and store all values taken by $pc during the execution flow, from its current value,
+until the value provided as argument.
gef> trace-run <address_of_last_instruction_to_trace>
+
By using the script ida_color_gdb_trace.py on the text file generated, it will color the path
+taken:
versionPrint out version information about your current gdb environment.
+When GEF is located in a directory tracked with git:
+gef➤ version
+GEF: rev:48a9fd74dd39db524fb395e7db528f85cc49d081 (Git - clean)
+SHA1(/gef/rules/gef.py): 848cdc87ba7c3e99e8129ad820c9fcc0973b1e99
+GDB: 9.2
+GDB-Python: 3.8
+Otherwise the command shows the standalone information:
gef➤ version
+GEF: (Standalone)
+Blob Hash(/gef/rules/gef.py): f0aef0f481e8157006b26690bd121585d3befee0
+SHA1(/gef/rules/gef.py): 4b26a1175abcd8314d4816f97fdf908b3837c779
+GDB: 9.2
+GDB-Python: 3.8
+The Blob Hash can be used to easily find the git commit(s) matching this file revision.
git log --oneline --find-object <BLOB_HASH>
+If this command does not return anything then the file was most likely modified and cannot be +matched to a specific git commit.
+ + + + + + +vmmapvmmap displays the target process's entire memory space mapping.
Interestingly, it helps finding secret gems: as an aware reader might have seen, memory mapping
+differs from one architecture to another (this is one of the main reasons I started GEF in a first
+place). For example, you can learn that ELF running on SPARC architectures always have their .data
+and heap sections set as Read/Write/Execute.
vmmap accepts one argument, either a pattern to match again mapping names, or an address to
+determine which section it belongs to.
xfilesxfiles is a more convenient representation of the GDB native command, info files allowing you to
+filter by pattern given in argument. For example, if you only want to show the code sections (i.e.
+.text):
xinfoxinfo displays all the information known to gef about the specific address given as argument:
Important note : For performance reasons, gef caches certain results. gef will try to
+automatically refresh its own cache to avoid relying on obsolete information of the debugged
+process. However, in some dodgy scenario, gef might fail detecting some new events making its
+cache partially obsolete. If you notice an inconsistency on your memory mapping, you might want to
+force gef flushing its cache and fetching brand new data, by running the command reset-cache.
xor-memoryThis command is used to XOR a block of memory.
+Its syntax is:
+xor-memory <display|patch> <address> <size_to_read> <xor_key>
+The first argument (display or patch) is the action to perform:
display will only show an hexdump of the result of the XOR-ed memory block, without writing the
+ debuggee's memory.
gef➤ xor display $rsp 16 1337
+[+] Displaying XOR-ing 0x7fff589b67f8-0x7fff589b6808 with '1337'
+────────────────────────────────[ Original block ]────────────────────────────────────
+0x00007fff589b67f8 46 4e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 FN@.............
+────────────────────────────────[ XOR-ed block ]──────────────────────────────────────
+0x00007fff589b67f8 55 79 53 37 13 37 13 37 13 37 13 37 13 37 13 37 UyS7.7.7.7.7.7.7
+patch will overwrite the memory with the xor-ed content.
gef➤ xor patch $rsp 16 1337
+[+] Patching XOR-ing 0x7fff589b67f8-0x7fff589b6808 with '1337'
+gef➤ hexdump byte $rsp 16
+0x00007fff589b67f8 55 79 53 37 13 37 13 37 13 37 UyS7.7.7.7
+This matrix indicates the version of Python and/or GDB
+| GEF version | +GDB Python compatibility* | +Python compatibility* | +
|---|---|---|
| 2018.02 | +7.2 | +Python 2.7, Python 3.4+ | +
| 2020.03 | +7.4 | +Python 2.7, Python 3.4+ | +
| 2022.01 | +7.7 | +Python 3.4+ | +
| Current | +8.0+ | +Python 3.6+ | +
GEF comes with its own configuration and customization system, allowing fine
+tweaking. The configuration file is located under ~/.gef.rc by default, and
+is automatically loaded when GEF is loaded by GDB. If not configuration file is
+found, GEF will simply use the default settings.
The configuration file is a Python
+configparser. To
+create a basic file with all settings and their default values, simply run
gdb -ex 'gef save' -ex quit
+You can now explore the configuration file under ~/.gef.rc.
Once in GEF, the configuration settings can be set/unset/modified by the
+command gef config. Without argument the command
+will simply dump all known settings:
To update, follow the syntax
+gef➤ gef config <Module>.<ModuleSetting> <Value>
+Any setting updated this way will be specific to the current GDB session. To +make permanent, use the following command
+gef➤ gef save
+Refer to the gef config command documentation for
+complete explanation.
+ « prev + ^ index + » next + + coverage.py v7.2.7, + created at 2023-08-01 03:12 +0000 +
+ +1#######################################################################################
+2# GEF - Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers
+3#
+4# by @_hugsy_
+5#######################################################################################
+6#
+7# GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to
+8# make GDB cool again for exploit dev. It is aimed to be used mostly by exploit
+9# devs and reversers, to provides additional features to GDB using the Python
+10# API to assist during the process of dynamic analysis.
+11#
+12# GEF fully relies on GDB API and other Linux-specific sources of information
+13# (such as /proc/<pid>). As a consequence, some of the features might not work
+14# on custom or hardened systems such as GrSec.
+15#
+16# Since January 2020, GEF solely support GDB compiled with Python3 and was tested on
+17# * x86-32 & x86-64
+18# * arm v5,v6,v7
+19# * aarch64 (armv8)
+20# * mips & mips64
+21# * powerpc & powerpc64
+22# * sparc & sparc64(v9)
+23#
+24# For GEF with Python2 (only) support was moved to the GEF-Legacy
+25# (https://github.com/hugsy/gef-legacy)
+26#
+27# To start: in gdb, type `source /path/to/gef.py`
+28#
+29#######################################################################################
+30#
+31# gef is distributed under the MIT License (MIT)
+32# Copyright (c) 2013-2023 crazy rabbidz
+33#
+34# Permission is hereby granted, free of charge, to any person obtaining a copy
+35# of this software and associated documentation files (the "Software"), to deal
+36# in the Software without restriction, including without limitation the rights
+37# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+38# copies of the Software, and to permit persons to whom the Software is
+39# furnished to do so, subject to the following conditions:
+40#
+41# The above copyright notice and this permission notice shall be included in all
+42# copies or substantial portions of the Software.
+43#
+44# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+45# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+46# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+47# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+48# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+49# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+50# SOFTWARE.
+ +52import abc
+53import argparse
+54import ast
+55import atexit
+56import binascii
+57import codecs
+58import collections
+59import configparser
+60import ctypes
+61import enum
+62import functools
+63import hashlib
+64import importlib
+65import importlib.util
+66import inspect
+67import itertools
+68import os
+69import pathlib
+70import platform
+71import re
+72import shutil
+73import site
+74import socket
+75import string
+76import struct
+77import subprocess
+78import sys
+79import tempfile
+80import time
+81import traceback
+82import warnings
+83from functools import lru_cache
+84from io import StringIO, TextIOWrapper
+85from types import ModuleType
+86from typing import (Any, ByteString, Callable, Dict, Generator, Iterable,
+87 Iterator, List, NoReturn, Optional, Sequence, Set, Tuple, Type,
+88 Union)
+89from urllib.request import urlopen
+ +91GEF_DEFAULT_BRANCH = "main"
+92GEF_EXTRAS_DEFAULT_BRANCH = "main"
+ +94def http_get(url: str) -> Optional[bytes]:
+95 """Basic HTTP wrapper for GET request. Return the body of the page if HTTP code is OK,
+96 otherwise return None."""
+97 try:
+98 http = urlopen(url)
+99 return http.read() if http.getcode() == 200 else None
+100 except Exception:
+101 return None
+ + +104def update_gef(argv: List[str]) -> int:
+105 """Try to update `gef` to the latest version pushed on GitHub main branch.
+106 Return 0 on success, 1 on failure. """
+107 ver = "dev" if "--dev" in argv else GEF_DEFAULT_BRANCH
+108 latest_gef_data = http_get(f"https://raw.githubusercontent.com/hugsy/gef/{ver}/scripts/gef.sh")
+109 if not latest_gef_data:
+110 print("[-] Failed to get remote gef")
+111 return 1
+112 with tempfile.NamedTemporaryFile(suffix=".sh") as fd:
+113 fd.write(latest_gef_data)
+114 fd.flush()
+115 fpath = pathlib.Path(fd.name)
+116 return subprocess.run(["bash", fpath, ver], stdout=subprocess.DEVNULL,
+117 stderr=subprocess.DEVNULL).returncode
+ + +120try:
+121 import gdb # type:ignore
+122except ImportError:
+123 # if out of gdb, the only action allowed is to update gef.py
+124 if len(sys.argv) >= 2 and sys.argv[1].lower() in ("--update", "--upgrade"):
+125 sys.exit(update_gef(sys.argv[2:]))
+126 print("[-] gef cannot run as standalone")
+127 sys.exit(0)
+ + +130GDB_MIN_VERSION = (8, 0)
+131GDB_VERSION = tuple(map(int, re.search(r"(\d+)[^\d]+(\d+)", gdb.VERSION).groups()))
+132PYTHON_MIN_VERSION = (3, 6)
+133PYTHON_VERSION = sys.version_info[0:2]
+ +135DEFAULT_PAGE_ALIGN_SHIFT = 12
+136DEFAULT_PAGE_SIZE = 1 << DEFAULT_PAGE_ALIGN_SHIFT
+ +138GEF_RC = (pathlib.Path(os.getenv("GEF_RC", "")).absolute()
+139 if os.getenv("GEF_RC")
+140 else pathlib.Path().home() / ".gef.rc")
+141GEF_TEMP_DIR = os.path.join(tempfile.gettempdir(), "gef")
+142GEF_MAX_STRING_LENGTH = 50
+ +144LIBC_HEAP_MAIN_ARENA_DEFAULT_NAME = "main_arena"
+145ANSI_SPLIT_RE = r"(\033\[[\d;]*m)"
+ +147LEFT_ARROW = " ← "
+148RIGHT_ARROW = " → "
+149DOWN_ARROW = "↳"
+150HORIZONTAL_LINE = "─"
+151VERTICAL_LINE = "│"
+152CROSS = "✘ "
+153TICK = "✓ "
+154BP_GLYPH = "●"
+155GEF_PROMPT = "gef➤ "
+156GEF_PROMPT_ON = f"\001\033[1;32m\002{GEF_PROMPT}\001\033[0m\002"
+157GEF_PROMPT_OFF = f"\001\033[1;31m\002{GEF_PROMPT}\001\033[0m\002"
+ +159PATTERN_LIBC_VERSION = re.compile(rb"glibc (\d+)\.(\d+)")
+ +161gef : "Gef"
+162__registered_commands__ : Set[Type["GenericCommand"]] = set()
+163__registered_functions__ : Set[Type["GenericFunction"]] = set()
+164__registered_architectures__ : Dict[Union["Elf.Abi", str], Type["Architecture"]] = {}
+165__registered_file_formats__ : Set[ Type["FileFormat"] ] = set()
+ + +168def reset_all_caches() -> None:
+169 """Free all caches. If an object is cached, it will have a callable attribute `cache_clear`
+170 which will be invoked to purge the function cache."""
+ +172 for mod in dir(sys.modules["__main__"]):
+173 obj = getattr(sys.modules["__main__"], mod)
+174 if hasattr(obj, "cache_clear"):
+175 obj.cache_clear()
+ +177 gef.reset_caches()
+178 return
+ + +181def reset() -> None:
+182 global gef
+ +184 arch = None
+185 if "gef" in locals().keys(): 185 ↛ 186line 185 didn't jump to line 186, because the condition on line 185 was never true
+186 reset_all_caches()
+187 arch = gef.arch
+188 del gef
+ +190 gef = Gef()
+191 gef.setup()
+ +193 if arch: 193 ↛ 194line 193 didn't jump to line 194, because the condition on line 193 was never true
+194 gef.arch = arch
+195 return
+ + +198def highlight_text(text: str) -> str:
+199 """
+200 Highlight text using `gef.ui.highlight_table` { match -> color } settings.
+ +202 If RegEx is enabled it will create a match group around all items in the
+203 `gef.ui.highlight_table` and wrap the specified color in the `gef.ui.highlight_table`
+204 around those matches.
+ +206 If RegEx is disabled, split by ANSI codes and 'colorify' each match found
+207 within the specified string.
+208 """
+209 global gef
+ +211 if not gef.ui.highlight_table:
+212 return text
+ +214 if gef.config["highlight.regex"]: 214 ↛ 215line 214 didn't jump to line 215, because the condition on line 214 was never true
+215 for match, color in gef.ui.highlight_table.items():
+216 text = re.sub("(" + match + ")", Color.colorify("\\1", color), text)
+217 return text
+ +219 ansiSplit = re.split(ANSI_SPLIT_RE, text)
+ +221 for match, color in gef.ui.highlight_table.items():
+222 for index, val in enumerate(ansiSplit): 222 ↛ 227line 222 didn't jump to line 227, because the loop on line 222 didn't complete
+223 found = val.find(match)
+224 if found > -1:
+225 ansiSplit[index] = val.replace(match, Color.colorify(match, color))
+226 break
+227 text = "".join(ansiSplit)
+228 ansiSplit = re.split(ANSI_SPLIT_RE, text)
+ +230 return "".join(ansiSplit)
+ + +233def gef_print(*args: str, end="\n", sep=" ", **kwargs: Any) -> None:
+234 """Wrapper around print(), using string buffering feature."""
+235 parts = [highlight_text(a) for a in args]
+236 if buffer_output() and gef.ui.stream_buffer and not is_debug(): 236 ↛ 237line 236 didn't jump to line 237, because the condition on line 236 was never true
+237 gef.ui.stream_buffer.write(sep.join(parts) + end)
+238 return
+ +240 print(*parts, sep=sep, end=end, **kwargs)
+241 return
+ + +244def bufferize(f: Callable) -> Callable:
+245 """Store the content to be printed for a function in memory, and flush it on function exit."""
+ +247 @functools.wraps(f)
+248 def wrapper(*args: Any, **kwargs: Any) -> Any:
+249 global gef
+ +251 if gef.ui.stream_buffer:
+252 return f(*args, **kwargs)
+ +254 gef.ui.stream_buffer = StringIO()
+255 try:
+256 rv = f(*args, **kwargs)
+257 finally:
+258 redirect = gef.config["context.redirect"]
+259 if redirect.startswith("/dev/pts/"): 259 ↛ 260line 259 didn't jump to line 260, because the condition on line 259 was never true
+260 if not gef.ui.redirect_fd:
+261 # if the FD has never been open, open it
+262 fd = open(redirect, "wt")
+263 gef.ui.redirect_fd = fd
+264 elif redirect != gef.ui.redirect_fd.name:
+265 # if the user has changed the redirect setting during runtime, update the state
+266 gef.ui.redirect_fd.close()
+267 fd = open(redirect, "wt")
+268 gef.ui.redirect_fd = fd
+269 else:
+270 # otherwise, keep using it
+271 fd = gef.ui.redirect_fd
+272 else:
+273 fd = sys.stdout
+274 gef.ui.redirect_fd = None
+ +276 if gef.ui.redirect_fd and fd.closed: 276 ↛ 278line 276 didn't jump to line 278, because the condition on line 276 was never true
+277 # if the tty was closed, revert back to stdout
+278 fd = sys.stdout
+279 gef.ui.redirect_fd = None
+280 gef.config["context.redirect"] = ""
+ +282 fd.write(gef.ui.stream_buffer.getvalue())
+283 fd.flush()
+284 gef.ui.stream_buffer = None
+285 return rv
+ +287 return wrapper
+ + +290#
+291# Helpers
+292#
+ +294def p8(x: int, s: bool = False, e: Optional["Endianness"] = None) -> bytes:
+295 """Pack one byte respecting the current architecture endianness."""
+296 endian = e or gef.arch.endianness
+297 return struct.pack(f"{endian}B", x) if not s else struct.pack(f"{endian:s}b", x)
+ + +300def p16(x: int, s: bool = False, e: Optional["Endianness"] = None) -> bytes:
+301 """Pack one word respecting the current architecture endianness."""
+302 endian = e or gef.arch.endianness
+303 return struct.pack(f"{endian}H", x) if not s else struct.pack(f"{endian:s}h", x)
+ + +306def p32(x: int, s: bool = False, e: Optional["Endianness"] = None) -> bytes:
+307 """Pack one dword respecting the current architecture endianness."""
+308 endian = e or gef.arch.endianness
+309 return struct.pack(f"{endian}I", x) if not s else struct.pack(f"{endian:s}i", x)
+ + +312def p64(x: int, s: bool = False, e: Optional["Endianness"] = None) -> bytes:
+313 """Pack one qword respecting the current architecture endianness."""
+314 endian = e or gef.arch.endianness
+315 return struct.pack(f"{endian}Q", x) if not s else struct.pack(f"{endian:s}q", x)
+ + +318def u8(x: bytes, s: bool = False, e: Optional["Endianness"] = None) -> int:
+319 """Unpack one byte respecting the current architecture endianness."""
+320 endian = e or gef.arch.endianness
+321 return struct.unpack(f"{endian}B", x)[0] if not s else struct.unpack(f"{endian:s}b", x)[0]
+ + +324def u16(x: bytes, s: bool = False, e: Optional["Endianness"] = None) -> int:
+325 """Unpack one word respecting the current architecture endianness."""
+326 endian = e or gef.arch.endianness
+327 return struct.unpack(f"{endian}H", x)[0] if not s else struct.unpack(f"{endian:s}h", x)[0]
+ + +330def u32(x: bytes, s: bool = False, e: Optional["Endianness"] = None) -> int:
+331 """Unpack one dword respecting the current architecture endianness."""
+332 endian = e or gef.arch.endianness
+333 return struct.unpack(f"{endian}I", x)[0] if not s else struct.unpack(f"{endian:s}i", x)[0]
+ + +336def u64(x: bytes, s: bool = False, e: Optional["Endianness"] = None) -> int:
+337 """Unpack one qword respecting the current architecture endianness."""
+338 endian = e or gef.arch.endianness
+339 return struct.unpack(f"{endian}Q", x)[0] if not s else struct.unpack(f"{endian:s}q", x)[0]
+ + +342def is_ascii_string(address: int) -> bool:
+343 """Helper function to determine if the buffer pointed by `address` is an ASCII string (in GDB)"""
+344 try:
+345 return gef.memory.read_ascii_string(address) is not None
+346 except Exception:
+347 return False
+ + +350def is_alive() -> bool:
+351 """Check if GDB is running."""
+352 try:
+353 return gdb.selected_inferior().pid > 0
+354 except Exception:
+355 return False
+ + +358def calling_function() -> Optional[str]:
+359 """Return the name of the calling function"""
+360 try:
+361 stack_info = traceback.extract_stack()[-3]
+362 return stack_info.name
+363 except:
+364 return None
+ + +367#
+368# Decorators
+369#
+370def only_if_gdb_running(f: Callable) -> Callable:
+371 """Decorator wrapper to check if GDB is running."""
+ +373 @functools.wraps(f)
+374 def wrapper(*args: Any, **kwargs: Any) -> Any:
+375 if is_alive():
+376 return f(*args, **kwargs)
+377 else:
+378 warn("No debugging session active")
+ +380 return wrapper
+ + +383def only_if_gdb_target_local(f: Callable) -> Callable:
+384 """Decorator wrapper to check if GDB is running locally (target not remote)."""
+ +386 @functools.wraps(f)
+387 def wrapper(*args: Any, **kwargs: Any) -> Any:
+388 if not is_remote_debug(): 388 ↛ 391line 388 didn't jump to line 391, because the condition on line 388 was never false
+389 return f(*args, **kwargs)
+390 else:
+391 warn("This command cannot work for remote sessions.")
+ +393 return wrapper
+ + +396def deprecated(solution: str = "") -> Callable:
+397 """Decorator to add a warning when a command is obsolete and will be removed."""
+398 def decorator(f: Callable) -> Callable:
+399 @functools.wraps(f)
+400 def wrapper(*args: Any, **kwargs: Any) -> Any:
+401 caller = inspect.stack()[1]
+402 caller_file = pathlib.Path(caller.filename)
+403 caller_loc = caller.lineno
+404 msg = f"{caller_file.name}:L{caller_loc} '{f.__name__}' is deprecated and will be removed in a feature release. "
+405 if not gef: 405 ↛ 406line 405 didn't jump to line 406, because the condition on line 405 was never true
+406 print(msg)
+407 elif gef.config["gef.show_deprecation_warnings"] is True: 407 ↛ 411line 407 didn't jump to line 411, because the condition on line 407 was never false
+408 if solution: 408 ↛ 410line 408 didn't jump to line 410, because the condition on line 408 was never false
+409 msg += solution
+410 warn(msg)
+411 return f(*args, **kwargs)
+ +413 if not wrapper.__doc__:
+414 wrapper.__doc__ = ""
+415 wrapper.__doc__ += f"\r\n`{f.__name__}` is **DEPRECATED** and will be removed in the future.\r\n{solution}"
+416 return wrapper
+417 return decorator
+ + +420def experimental_feature(f: Callable) -> Callable:
+421 """Decorator to add a warning when a feature is experimental."""
+ +423 @functools.wraps(f)
+424 def wrapper(*args: Any, **kwargs: Any) -> Any:
+425 warn("This feature is under development, expect bugs and unstability...")
+426 return f(*args, **kwargs)
+ +428 return wrapper
+ + +431def only_if_events_supported(event_type: str) -> Callable:
+432 """Checks if GDB supports events without crashing."""
+433 def wrap(f: Callable) -> Callable:
+434 def wrapped_f(*args: Any, **kwargs: Any) -> Any:
+435 if getattr(gdb, "events") and getattr(gdb.events, event_type): 435 ↛ 437line 435 didn't jump to line 437, because the condition on line 435 was never false
+436 return f(*args, **kwargs)
+437 warn("GDB events cannot be set")
+438 return wrapped_f
+439 return wrap
+ + +442class classproperty(property):
+443 """Make the attribute a `classproperty`."""
+444 def __get__(self, cls, owner):
+445 return classmethod(self.fget).__get__(None, owner)()
+ + +448def FakeExit(*args: Any, **kwargs: Any) -> NoReturn:
+449 raise RuntimeWarning
+ + +452sys.exit = FakeExit
+ + +455def parse_arguments(required_arguments: Dict[Union[str, Tuple[str, str]], Any],
+456 optional_arguments: Dict[Union[str, Tuple[str, str]], Any]) -> Callable:
+457 """Argument parsing decorator."""
+ +459 def int_wrapper(x: str) -> int: return int(x, 0)
+ +461 def decorator(f: Callable) -> Optional[Callable]:
+462 def wrapper(*args: Any, **kwargs: Any) -> Callable:
+463 parser = argparse.ArgumentParser(prog=args[0]._cmdline_, add_help=True)
+464 for argname in required_arguments:
+465 argvalue = required_arguments[argname]
+466 argtype = type(argvalue)
+467 if argtype is int:
+468 argtype = int_wrapper
+ +470 argname_is_list = not isinstance(argname, str)
+471 assert not argname_is_list and isinstance(argname, str)
+472 if not argname_is_list and argname.startswith("-"): 472 ↛ 474line 472 didn't jump to line 474, because the condition on line 472 was never true
+473 # optional args
+474 if argtype is bool:
+475 parser.add_argument(argname, action="store_true" if argvalue else "store_false")
+476 else:
+477 parser.add_argument(argname, type=argtype, required=True, default=argvalue)
+478 else:
+479 if argtype in (list, tuple):
+480 nargs = "*"
+481 argtype = type(argvalue[0])
+482 else:
+483 nargs = "?"
+484 # positional args
+485 parser.add_argument(argname, type=argtype, default=argvalue, nargs=nargs)
+ +487 for argname in optional_arguments:
+488 if isinstance(argname, str) and not argname.startswith("-"): 488 ↛ 490line 488 didn't jump to line 490, because the condition on line 488 was never true
+489 # refuse positional arguments
+490 continue
+491 argvalue = optional_arguments[argname]
+492 argtype = type(argvalue)
+493 if isinstance(argname, str):
+494 argname = [argname,]
+495 if argtype is int:
+496 argtype = int_wrapper
+497 if argtype is bool:
+498 parser.add_argument(*argname, action="store_true" if argvalue else "store_false")
+499 else:
+500 parser.add_argument(*argname, type=argtype, default=argvalue)
+ +502 parsed_args = parser.parse_args(*(args[1:]))
+503 kwargs["arguments"] = parsed_args
+504 return f(*args, **kwargs)
+505 return wrapper
+506 return decorator
+ + +509class Color:
+510 """Used to colorify terminal output."""
+511 colors = {
+512 "normal" : "\033[0m",
+513 "gray" : "\033[1;38;5;240m",
+514 "light_gray" : "\033[0;37m",
+515 "red" : "\033[31m",
+516 "green" : "\033[32m",
+517 "yellow" : "\033[33m",
+518 "blue" : "\033[34m",
+519 "pink" : "\033[35m",
+520 "cyan" : "\033[36m",
+521 "bold" : "\033[1m",
+522 "underline" : "\033[4m",
+523 "underline_off" : "\033[24m",
+524 "highlight" : "\033[3m",
+525 "highlight_off" : "\033[23m",
+526 "blink" : "\033[5m",
+527 "blink_off" : "\033[25m",
+528 }
+ +530 @staticmethod
+531 def redify(msg: str) -> str: return Color.colorify(msg, "red")
+532 @staticmethod
+533 def greenify(msg: str) -> str: return Color.colorify(msg, "green")
+534 @staticmethod
+535 def blueify(msg: str) -> str: return Color.colorify(msg, "blue")
+536 @staticmethod
+537 def yellowify(msg: str) -> str: return Color.colorify(msg, "yellow")
+538 @staticmethod
+539 def grayify(msg: str) -> str: return Color.colorify(msg, "gray") 539 ↛ exitline 539 didn't return from function 'grayify', because the return on line 539 wasn't executed
+540 @staticmethod
+541 def light_grayify(msg: str) -> str: return Color.colorify(msg, "light_gray") 541 ↛ exitline 541 didn't return from function 'light_grayify', because the return on line 541 wasn't executed
+542 @staticmethod
+543 def pinkify(msg: str) -> str: return Color.colorify(msg, "pink")
+544 @staticmethod
+545 def cyanify(msg: str) -> str: return Color.colorify(msg, "cyan") 545 ↛ exitline 545 didn't return from function 'cyanify', because the return on line 545 wasn't executed
+546 @staticmethod
+547 def boldify(msg: str) -> str: return Color.colorify(msg, "bold")
+548 @staticmethod
+549 def underlinify(msg: str) -> str: return Color.colorify(msg, "underline") 549 ↛ exitline 549 didn't return from function 'underlinify', because the return on line 549 wasn't executed
+550 @staticmethod
+551 def highlightify(msg: str) -> str: return Color.colorify(msg, "highlight") 551 ↛ exitline 551 didn't return from function 'highlightify', because the return on line 551 wasn't executed
+552 @staticmethod
+553 def blinkify(msg: str) -> str: return Color.colorify(msg, "blink") 553 ↛ exitline 553 didn't return from function 'blinkify', because the return on line 553 wasn't executed
+ +555 @staticmethod
+556 def colorify(text: str, attrs: str) -> str:
+557 """Color text according to the given attributes."""
+558 if gef.config["gef.disable_color"] is True: return text 558 ↛ exitline 558 didn't return from function 'colorify', because the return on line 558 wasn't executed
+ +560 colors = Color.colors
+561 msg = [colors[attr] for attr in attrs.split() if attr in colors]
+562 msg.append(str(text))
+563 if colors["highlight"] in msg: msg.append(colors["highlight_off"])
+564 if colors["underline"] in msg: msg.append(colors["underline_off"])
+565 if colors["blink"] in msg: msg.append(colors["blink_off"])
+566 msg.append(colors["normal"])
+567 return "".join(msg)
+ + +570class Address:
+571 """GEF representation of memory addresses."""
+572 def __init__(self, **kwargs: Any) -> None:
+573 self.value: int = kwargs.get("value", 0)
+574 self.section: "Section" = kwargs.get("section", None)
+575 self.info: "Zone" = kwargs.get("info", None)
+576 return
+ +578 def __str__(self) -> str:
+579 value = format_address(self.value)
+580 code_color = gef.config["theme.address_code"]
+581 stack_color = gef.config["theme.address_stack"]
+582 heap_color = gef.config["theme.address_heap"]
+583 if self.is_in_text_segment():
+584 return Color.colorify(value, code_color)
+585 if self.is_in_heap_segment(): 585 ↛ 586line 585 didn't jump to line 586, because the condition on line 585 was never true
+586 return Color.colorify(value, heap_color)
+587 if self.is_in_stack_segment():
+588 return Color.colorify(value, stack_color)
+589 return value
+ +591 def __int__(self) -> int:
+592 return self.value
+ +594 def is_in_text_segment(self) -> bool:
+595 return (hasattr(self.info, "name") and ".text" in self.info.name) or \
+596 (hasattr(self.section, "path") and get_filepath() == self.section.path and self.section.is_executable())
+ +598 def is_in_stack_segment(self) -> bool:
+599 return hasattr(self.section, "path") and "[stack]" == self.section.path
+ +601 def is_in_heap_segment(self) -> bool:
+602 return hasattr(self.section, "path") and "[heap]" == self.section.path
+ +604 def dereference(self) -> Optional[int]:
+605 addr = align_address(int(self.value))
+606 derefed = dereference(addr)
+607 return None if derefed is None else int(derefed)
+ +609 @property
+610 def valid(self) -> bool:
+611 return any(map(lambda x: x.page_start <= self.value < x.page_end, gef.memory.maps))
+ + +614class Permission(enum.Flag):
+615 """GEF representation of Linux permission."""
+616 NONE = 0
+617 EXECUTE = 1
+618 WRITE = 2
+619 READ = 4
+620 ALL = 7
+ +622 def __str__(self) -> str:
+623 perm_str = ""
+624 perm_str += "r" if self & Permission.READ else "-"
+625 perm_str += "w" if self & Permission.WRITE else "-"
+626 perm_str += "x" if self & Permission.EXECUTE else "-"
+627 return perm_str
+ +629 @classmethod
+630 def from_info_sections(cls, *args: str) -> "Permission":
+631 perm = cls(0)
+632 for arg in args:
+633 if "READONLY" in arg: perm |= Permission.READ
+634 if "DATA" in arg: perm |= Permission.WRITE
+635 if "CODE" in arg: perm |= Permission.EXECUTE
+636 return perm
+ +638 @classmethod
+639 def from_process_maps(cls, perm_str: str) -> "Permission":
+640 perm = cls(0)
+641 if perm_str[0] == "r": perm |= Permission.READ
+642 if perm_str[1] == "w": perm |= Permission.WRITE
+643 if perm_str[2] == "x": perm |= Permission.EXECUTE
+644 return perm
+ +646 @classmethod
+647 def from_info_mem(cls, perm_str: str) -> "Permission":
+648 perm = cls(0)
+649 # perm_str[0] shows if this is a user page, which
+650 # we don't track
+651 if perm_str[1] == "r": perm |= Permission.READ
+652 if perm_str[2] == "w": perm |= Permission.WRITE
+653 return perm
+ + +656class Section:
+657 """GEF representation of process memory sections."""
+ +659 def __init__(self, **kwargs: Any) -> None:
+660 self.page_start: int = kwargs.get("page_start", 0)
+661 self.page_end: int = kwargs.get("page_end", 0)
+662 self.offset: int = kwargs.get("offset", 0)
+663 self.permission: Permission = kwargs.get("permission", Permission(0))
+664 self.inode: int = kwargs.get("inode", 0)
+665 self.path: str = kwargs.get("path", "")
+666 return
+ +668 def is_readable(self) -> bool:
+669 return (self.permission & Permission.READ) != 0
+ +671 def is_writable(self) -> bool:
+672 return (self.permission & Permission.WRITE) != 0
+ +674 def is_executable(self) -> bool:
+675 return (self.permission & Permission.EXECUTE) != 0
+ +677 @property
+678 def size(self) -> int:
+679 if self.page_end is None or self.page_start is None:
+680 return -1
+681 return self.page_end - self.page_start
+ +683 @property
+684 def realpath(self) -> str:
+685 # when in a `gef-remote` session, realpath returns the path to the binary on the local disk, not remote
+686 return self.path if gef.session.remote is None else f"/tmp/gef/{gef.session.remote:d}/{self.path}"
+ +688 def __str__(self) -> str:
+689 return (f"Section(page_start={self.page_start:#x}, page_end={self.page_end:#x}, "
+690 f"permissions={self.permission!s})")
+ + +693Zone = collections.namedtuple("Zone", ["name", "zone_start", "zone_end", "filename"])
+ + +696class Endianness(enum.Enum):
+697 LITTLE_ENDIAN = 1
+698 BIG_ENDIAN = 2
+ +700 def __str__(self) -> str:
+701 return "<" if self == Endianness.LITTLE_ENDIAN else ">"
+ +703 def __repr__(self) -> str:
+704 return self.name
+ +706 def __int__(self) -> int:
+707 return self.value
+ + +710class FileFormatSection:
+711 misc: Any
+ + +714class FileFormat:
+715 name: str
+716 path: pathlib.Path
+717 entry_point: int
+718 checksec: Dict[str, bool]
+719 sections: List[FileFormatSection]
+ +721 def __init__(self, path: Union[str, pathlib.Path]) -> None:
+722 raise NotImplemented
+ +724 def __init_subclass__(cls: Type["FileFormat"], **kwargs):
+725 global __registered_file_formats__
+726 super().__init_subclass__(**kwargs)
+727 required_attributes = ("name", "entry_point", "is_valid", "checksec",)
+728 for attr in required_attributes:
+729 if not hasattr(cls, attr): 729 ↛ 730line 729 didn't jump to line 730, because the condition on line 729 was never true
+730 raise NotImplementedError(f"File format '{cls.__name__}' is invalid: missing attribute '{attr}'")
+731 __registered_file_formats__.add(cls)
+732 return
+ +734 @classmethod
+735 def is_valid(cls, path: pathlib.Path) -> bool:
+736 raise NotImplemented
+ +738 def __str__(self) -> str:
+739 return f"{self.name}('{self.path.absolute()}', entry @ {self.entry_point:#x})"
+ + +742class Elf(FileFormat):
+743 """Basic ELF parsing.
+744 Ref:
+745 - http://www.skyfree.org/linux/references/ELF_Format.pdf
+746 - https://refspecs.linuxfoundation.org/elf/elfspec_ppc.pdf
+747 - https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html
+748 """
+749 class Class(enum.Enum):
+750 ELF_32_BITS = 0x01
+751 ELF_64_BITS = 0x02
+ +753 ELF_MAGIC = 0x7f454c46
+ +755 class Abi(enum.Enum):
+756 X86_64 = 0x3e
+757 X86_32 = 0x03
+758 ARM = 0x28
+759 MIPS = 0x08
+760 POWERPC = 0x14
+761 POWERPC64 = 0x15
+762 SPARC = 0x02
+763 SPARC64 = 0x2b
+764 AARCH64 = 0xb7
+765 RISCV = 0xf3
+766 IA64 = 0x32
+767 M68K = 0x04
+ +769 class Type(enum.Enum):
+770 ET_RELOC = 1
+771 ET_EXEC = 2
+772 ET_DYN = 3
+773 ET_CORE = 4
+ +775 class OsAbi(enum.Enum):
+776 SYSTEMV = 0x00
+777 HPUX = 0x01
+778 NETBSD = 0x02
+779 LINUX = 0x03
+780 SOLARIS = 0x06
+781 AIX = 0x07
+782 IRIX = 0x08
+783 FREEBSD = 0x09
+784 OPENBSD = 0x0C
+ +786 e_magic: int = ELF_MAGIC
+787 e_class: "Elf.Class" = Class.ELF_32_BITS
+788 e_endianness: Endianness = Endianness.LITTLE_ENDIAN
+789 e_eiversion: int
+790 e_osabi: "Elf.OsAbi"
+791 e_abiversion: int
+792 e_pad: bytes
+793 e_type: "Elf.Type" = Type.ET_EXEC
+794 e_machine: Abi = Abi.X86_32
+795 e_version: int
+796 e_entry: int
+797 e_phoff: int
+798 e_shoff: int
+799 e_flags: int
+800 e_ehsize: int
+801 e_phentsize: int
+802 e_phnum: int
+803 e_shentsize: int
+804 e_shnum: int
+805 e_shstrndx: int
+ +807 path: pathlib.Path
+808 phdrs : List["Phdr"]
+809 shdrs : List["Shdr"]
+810 name: str = "ELF"
+ +812 __checksec : Dict[str, bool]
+ +814 def __init__(self, path: Union[str, pathlib.Path]) -> None:
+815 """Instantiate an ELF object. A valid ELF must be provided, or an exception will be thrown."""
+ +817 if isinstance(path, str):
+818 self.path = pathlib.Path(path).expanduser()
+819 elif isinstance(path, pathlib.Path): 819 ↛ 822line 819 didn't jump to line 822, because the condition on line 819 was never false
+820 self.path = path
+821 else:
+822 raise TypeError
+ +824 if not self.path.exists(): 824 ↛ 825line 824 didn't jump to line 825, because the condition on line 824 was never true
+825 raise FileNotFoundError(f"'{self.path}' not found/readable, most gef features will not work")
+ +827 self.__checksec = {}
+ +829 with self.path.open("rb") as self.fd:
+830 # off 0x0
+831 self.e_magic, e_class, e_endianness, self.e_eiversion = self.read_and_unpack(">IBBB")
+832 if self.e_magic != Elf.ELF_MAGIC: 832 ↛ 834line 832 didn't jump to line 834, because the condition on line 832 was never true
+833 # The ELF is corrupted, GDB won't handle it, no point going further
+834 raise RuntimeError("Not a valid ELF file (magic)")
+ +836 self.e_class, self.e_endianness = Elf.Class(e_class), Endianness(e_endianness)
+ +838 if self.e_endianness != gef.arch.endianness: 838 ↛ 839line 838 didn't jump to line 839, because the condition on line 838 was never true
+839 warn("Unexpected endianness for architecture")
+ +841 endian = self.e_endianness
+ +843 # off 0x7
+844 e_osabi, self.e_abiversion = self.read_and_unpack(f"{endian}BB")
+845 self.e_osabi = Elf.OsAbi(e_osabi)
+ +847 # off 0x9
+848 self.e_pad = self.read(7)
+ +850 # off 0x10
+851 e_type, e_machine, self.e_version = self.read_and_unpack(f"{endian}HHI")
+852 self.e_type, self.e_machine = Elf.Type(e_type), Elf.Abi(e_machine)
+ +854 # off 0x18
+855 if self.e_class == Elf.Class.ELF_64_BITS: 855 ↛ 858line 855 didn't jump to line 858, because the condition on line 855 was never false
+856 self.e_entry, self.e_phoff, self.e_shoff = self.read_and_unpack(f"{endian}QQQ")
+857 else:
+858 self.e_entry, self.e_phoff, self.e_shoff = self.read_and_unpack(f"{endian}III")
+ +860 self.e_flags, self.e_ehsize, self.e_phentsize, self.e_phnum = self.read_and_unpack(f"{endian}IHHH")
+861 self.e_shentsize, self.e_shnum, self.e_shstrndx = self.read_and_unpack(f"{endian}HHH")
+ +863 self.phdrs = []
+864 for i in range(self.e_phnum):
+865 self.phdrs.append(Phdr(self, self.e_phoff + self.e_phentsize * i))
+ +867 self.shdrs = []
+868 for i in range(self.e_shnum):
+869 self.shdrs.append(Shdr(self, self.e_shoff + self.e_shentsize * i))
+870 return
+ +872 def read(self, size: int) -> bytes:
+873 return self.fd.read(size)
+ +875 def read_and_unpack(self, fmt: str) -> Tuple[Any, ...]:
+876 size = struct.calcsize(fmt)
+877 data = self.fd.read(size)
+878 return struct.unpack(fmt, data)
+ +880 def seek(self, off: int) -> None:
+881 self.fd.seek(off, 0)
+ +883 def __str__(self) -> str:
+884 return f"ELF('{self.path.absolute()}', {self.e_class.name}, {self.e_machine.name})"
+ +886 def __repr__(self) -> str:
+887 return f"ELF('{self.path.absolute()}', {self.e_class.name}, {self.e_machine.name})"
+ +889 @property
+890 def entry_point(self) -> int:
+891 return self.e_entry
+ +893 @classmethod
+894 def is_valid(cls, path: pathlib.Path) -> bool:
+895 return u32(path.open("rb").read(4), e = Endianness.BIG_ENDIAN) == Elf.ELF_MAGIC
+ +897 @property
+898 def checksec(self) -> Dict[str, bool]:
+899 """Check the security property of the ELF binary. The following properties are:
+900 - Canary
+901 - NX
+902 - PIE
+903 - Fortify
+904 - Partial/Full RelRO.
+905 Return a dict() with the different keys mentioned above, and the boolean
+906 associated whether the protection was found."""
+907 if not self.__checksec: 907 ↛ 930line 907 didn't jump to line 930, because the condition on line 907 was never false
+908 def __check_security_property(opt: str, filename: str, pattern: str) -> bool:
+909 cmd = [readelf,]
+910 cmd += opt.split()
+911 cmd += [filename,]
+912 lines = gef_execute_external(cmd, as_list=True)
+913 for line in lines:
+914 if re.search(pattern, line):
+915 return True
+916 return False
+ +918 abspath = str(self.path.absolute())
+919 readelf = gef.session.constants["readelf"]
+920 self.__checksec["Canary"] = __check_security_property("-rs", abspath, r"__stack_chk_fail") is True
+921 has_gnu_stack = __check_security_property("-W -l", abspath, r"GNU_STACK") is True
+922 if has_gnu_stack: 922 ↛ 925line 922 didn't jump to line 925, because the condition on line 922 was never false
+923 self.__checksec["NX"] = __check_security_property("-W -l", abspath, r"GNU_STACK.*RWE") is False
+924 else:
+925 self.__checksec["NX"] = False
+926 self.__checksec["PIE"] = __check_security_property("-h", abspath, r":.*EXEC") is False
+927 self.__checksec["Fortify"] = __check_security_property("-s", abspath, r"_chk@GLIBC") is True
+928 self.__checksec["Partial RelRO"] = __check_security_property("-l", abspath, r"GNU_RELRO") is True
+929 self.__checksec["Full RelRO"] = self.__checksec["Partial RelRO"] and __check_security_property("-d", abspath, r"BIND_NOW") is True
+930 return self.__checksec
+ +932 @classproperty
+933 @deprecated("use `Elf.Abi.X86_64`")
+934 def X86_64(cls) -> int: return Elf.Abi.X86_64.value # pylint: disable=no-self-argument
+ +936 @classproperty
+937 @deprecated("use `Elf.Abi.X86_32`")
+938 def X86_32(cls) -> int : return Elf.Abi.X86_32.value # pylint: disable=no-self-argument
+ +940 @classproperty
+941 @deprecated("use `Elf.Abi.ARM`")
+942 def ARM(cls) -> int : return Elf.Abi.ARM.value # pylint: disable=no-self-argument
+ +944 @classproperty
+945 @deprecated("use `Elf.Abi.MIPS`")
+946 def MIPS(cls) -> int : return Elf.Abi.MIPS.value # pylint: disable=no-self-argument
+ +948 @classproperty
+949 @deprecated("use `Elf.Abi.POWERPC`")
+950 def POWERPC(cls) -> int : return Elf.Abi.POWERPC.value # pylint: disable=no-self-argument
+ +952 @classproperty
+953 @deprecated("use `Elf.Abi.POWERPC64`")
+954 def POWERPC64(cls) -> int : return Elf.Abi.POWERPC64.value # pylint: disable=no-self-argument
+ +956 @classproperty
+957 @deprecated("use `Elf.Abi.SPARC`")
+958 def SPARC(cls) -> int : return Elf.Abi.SPARC.value # pylint: disable=no-self-argument
+ +960 @classproperty
+961 @deprecated("use `Elf.Abi.SPARC64`")
+962 def SPARC64(cls) -> int : return Elf.Abi.SPARC64.value # pylint: disable=no-self-argument
+ +964 @classproperty
+965 @deprecated("use `Elf.Abi.AARCH64`")
+966 def AARCH64(cls) -> int : return Elf.Abi.AARCH64.value # pylint: disable=no-self-argument
+ +968 @classproperty
+969 @deprecated("use `Elf.Abi.RISCV`")
+970 def RISCV(cls) -> int : return Elf.Abi.RISCV.value # pylint: disable=no-self-argument
+ + +973class Phdr:
+974 class Type(enum.IntEnum):
+975 PT_NULL = 0
+976 PT_LOAD = 1
+977 PT_DYNAMIC = 2
+978 PT_INTERP = 3
+979 PT_NOTE = 4
+980 PT_SHLIB = 5
+981 PT_PHDR = 6
+982 PT_TLS = 7
+983 PT_LOOS = 0x60000000
+984 PT_GNU_EH_FRAME = 0x6474e550
+985 PT_GNU_STACK = 0x6474e551
+986 PT_GNU_RELRO = 0x6474e552
+987 PT_GNU_PROPERTY = 0x6474e553
+988 PT_LOSUNW = 0x6ffffffa
+989 PT_SUNWBSS = 0x6ffffffa
+990 PT_SUNWSTACK = 0x6ffffffb
+991 PT_HISUNW = PT_HIOS = 0x6fffffff
+992 PT_LOPROC = 0x70000000
+993 PT_ARM_EIDX = 0x70000001
+994 PT_MIPS_ABIFLAGS= 0x70000003
+995 PT_HIPROC = 0x7fffffff
+996 UNKNOWN_PHDR = 0xffffffff
+ +998 @classmethod
+999 def _missing_(cls, _:int) -> Type:
+1000 return cls.UNKNOWN_PHDR
+ +1002 class Flags(enum.IntFlag):
+1003 PF_X = 1
+1004 PF_W = 2
+1005 PF_R = 4
+ +1007 p_type: "Phdr.Type"
+1008 p_flags: "Phdr.Flags"
+1009 p_offset: int
+1010 p_vaddr: int
+1011 p_paddr: int
+1012 p_filesz: int
+1013 p_memsz: int
+1014 p_align: int
+ +1016 def __init__(self, elf: Elf, off: int) -> None:
+1017 if not elf: 1017 ↛ 1018line 1017 didn't jump to line 1018, because the condition on line 1017 was never true
+1018 return
+1019 elf.seek(off)
+1020 self.offset = off
+1021 endian = elf.e_endianness
+1022 if elf.e_class == Elf.Class.ELF_64_BITS: 1022 ↛ 1027line 1022 didn't jump to line 1027, because the condition on line 1022 was never false
+1023 p_type, p_flags, self.p_offset = elf.read_and_unpack(f"{endian}IIQ")
+1024 self.p_vaddr, self.p_paddr = elf.read_and_unpack(f"{endian}QQ")
+1025 self.p_filesz, self.p_memsz, self.p_align = elf.read_and_unpack(f"{endian}QQQ")
+1026 else:
+1027 p_type, self.p_offset = elf.read_and_unpack(f"{endian}II")
+1028 self.p_vaddr, self.p_paddr = elf.read_and_unpack(f"{endian}II")
+1029 self.p_filesz, self.p_memsz, p_flags, self.p_align = elf.read_and_unpack(f"{endian}IIII")
+ +1031 self.p_type, self.p_flags = Phdr.Type(p_type), Phdr.Flags(p_flags)
+1032 return
+ +1034 def __str__(self) -> str:
+1035 return (f"Phdr(offset={self.offset}, type={self.p_type.name}, flags={self.p_flags.name}, "
+1036 f"vaddr={self.p_vaddr}, paddr={self.p_paddr}, filesz={self.p_filesz}, "
+1037 f"memsz={self.p_memsz}, align={self.p_align})")
+ + +1040class Shdr:
+1041 class Type(enum.IntEnum):
+1042 SHT_NULL = 0
+1043 SHT_PROGBITS = 1
+1044 SHT_SYMTAB = 2
+1045 SHT_STRTAB = 3
+1046 SHT_RELA = 4
+1047 SHT_HASH = 5
+1048 SHT_DYNAMIC = 6
+1049 SHT_NOTE = 7
+1050 SHT_NOBITS = 8
+1051 SHT_REL = 9
+1052 SHT_SHLIB = 10
+1053 SHT_DYNSYM = 11
+1054 SHT_NUM = 12
+1055 SHT_INIT_ARRAY = 14
+1056 SHT_FINI_ARRAY = 15
+1057 SHT_PREINIT_ARRAY = 16
+1058 SHT_GROUP = 17
+1059 SHT_SYMTAB_SHNDX = 18
+1060 SHT_LOOS = 0x60000000
+1061 SHT_GNU_ATTRIBUTES = 0x6ffffff5
+1062 SHT_GNU_HASH = 0x6ffffff6
+1063 SHT_GNU_LIBLIST = 0x6ffffff7
+1064 SHT_CHECKSUM = 0x6ffffff8
+1065 SHT_LOSUNW = 0x6ffffffa
+1066 SHT_SUNW_move = 0x6ffffffa
+1067 SHT_SUNW_COMDAT = 0x6ffffffb
+1068 SHT_SUNW_syminfo = 0x6ffffffc
+1069 SHT_GNU_verdef = 0x6ffffffd
+1070 SHT_GNU_verneed = 0x6ffffffe
+1071 SHT_GNU_versym = 0x6fffffff
+1072 SHT_LOPROC = 0x70000000
+1073 SHT_ARM_EXIDX = 0x70000001
+1074 SHT_X86_64_UNWIND = 0x70000001
+1075 SHT_ARM_ATTRIBUTES = 0x70000003
+1076 SHT_MIPS_OPTIONS = 0x7000000d
+1077 DT_MIPS_INTERFACE = 0x7000002a
+1078 SHT_HIPROC = 0x7fffffff
+1079 SHT_LOUSER = 0x80000000
+1080 SHT_HIUSER = 0x8fffffff
+1081 UNKNOWN_SHDR = 0xffffffff
+ +1083 @classmethod
+1084 def _missing_(cls, _:int) -> Type:
+1085 return cls.UNKNOWN_SHDR
+ +1087 class Flags(enum.IntFlag):
+1088 WRITE = 1
+1089 ALLOC = 2
+1090 EXECINSTR = 4
+1091 MERGE = 0x10
+1092 STRINGS = 0x20
+1093 INFO_LINK = 0x40
+1094 LINK_ORDER = 0x80
+1095 OS_NONCONFORMING = 0x100
+1096 GROUP = 0x200
+1097 TLS = 0x400
+1098 COMPRESSED = 0x800
+1099 RELA_LIVEPATCH = 0x00100000
+1100 RO_AFTER_INIT = 0x00200000
+1101 ORDERED = 0x40000000
+1102 EXCLUDE = 0x80000000
+1103 UNKNOWN_FLAG = 0xffffffff
+ +1105 @classmethod
+1106 def _missing_(cls, _:int):
+1107 return cls.UNKNOWN_FLAG
+ +1109 sh_name: int
+1110 sh_type: "Shdr.Type"
+1111 sh_flags: "Shdr.Flags"
+1112 sh_addr: int
+1113 sh_offset: int
+1114 sh_size: int
+1115 sh_link: int
+1116 sh_info: int
+1117 sh_addralign: int
+1118 sh_entsize: int
+1119 name: str
+ +1121 def __init__(self, elf: Optional[Elf], off: int) -> None:
+1122 if elf is None: 1122 ↛ 1123line 1122 didn't jump to line 1123, because the condition on line 1122 was never true
+1123 return
+1124 elf.seek(off)
+1125 endian = elf.e_endianness
+1126 if elf.e_class == Elf.Class.ELF_64_BITS: 1126 ↛ 1132line 1126 didn't jump to line 1132, because the condition on line 1126 was never false
+1127 self.sh_name, sh_type, sh_flags = elf.read_and_unpack(f"{endian}IIQ")
+1128 self.sh_addr, self.sh_offset = elf.read_and_unpack(f"{endian}QQ")
+1129 self.sh_size, self.sh_link, self.sh_info = elf.read_and_unpack(f"{endian}QII")
+1130 self.sh_addralign, self.sh_entsize = elf.read_and_unpack(f"{endian}QQ")
+1131 else:
+1132 self.sh_name, sh_type, sh_flags = elf.read_and_unpack(f"{endian}III")
+1133 self.sh_addr, self.sh_offset = elf.read_and_unpack(f"{endian}II")
+1134 self.sh_size, self.sh_link, self.sh_info = elf.read_and_unpack(f"{endian}III")
+1135 self.sh_addralign, self.sh_entsize = elf.read_and_unpack(f"{endian}II")
+ +1137 self.sh_type = Shdr.Type(sh_type)
+1138 self.sh_flags = Shdr.Flags(sh_flags)
+1139 stroff = elf.e_shoff + elf.e_shentsize * elf.e_shstrndx
+ +1141 if elf.e_class == Elf.Class.ELF_64_BITS: 1141 ↛ 1145line 1141 didn't jump to line 1145, because the condition on line 1141 was never false
+1142 elf.seek(stroff + 16 + 8)
+1143 offset = u64(elf.read(8))
+1144 else:
+1145 elf.seek(stroff + 12 + 4)
+1146 offset = u32(elf.read(4))
+1147 elf.seek(offset + self.sh_name)
+1148 self.name = ""
+1149 while True:
+1150 c = u8(elf.read(1))
+1151 if c == 0:
+1152 break
+1153 self.name += chr(c)
+1154 return
+ +1156 def __str__(self) -> str:
+1157 return (f"Shdr(name={self.name}, type={self.sh_type.name}, flags={self.sh_flags.name}, "
+1158 f"addr={self.sh_addr:#x}, offset={self.sh_offset}, size={self.sh_size}, link={self.sh_link}, "
+1159 f"info={self.sh_info}, addralign={self.sh_addralign}, entsize={self.sh_entsize})")
+ + +1162class Instruction:
+1163 """GEF representation of a CPU instruction."""
+ +1165 def __init__(self, address: int, location: str, mnemo: str, operands: List[str], opcodes: bytes) -> None:
+1166 self.address, self.location, self.mnemonic, self.operands, self.opcodes = \
+1167 address, location, mnemo, operands, opcodes
+1168 return
+ +1170 # Allow formatting an instruction with {:o} to show opcodes.
+1171 # The number of bytes to display can be configured, e.g. {:4o} to only show 4 bytes of the opcodes
+1172 def __format__(self, format_spec: str) -> str:
+1173 if len(format_spec) == 0 or format_spec[-1] != "o": 1173 ↛ 1174line 1173 didn't jump to line 1174, because the condition on line 1173 was never true
+1174 return str(self)
+ +1176 if format_spec == "o": 1176 ↛ 1177line 1176 didn't jump to line 1177, because the condition on line 1176 was never true
+1177 opcodes_len = len(self.opcodes)
+1178 else:
+1179 opcodes_len = int(format_spec[:-1])
+ +1181 opcodes_text = "".join(f"{b:02x}" for b in self.opcodes[:opcodes_len])
+1182 if opcodes_len < len(self.opcodes):
+1183 opcodes_text += "..."
+1184 return (f"{self.address:#10x} {opcodes_text:{opcodes_len * 2 + 3:d}s} {self.location:16} "
+1185 f"{self.mnemonic:6} {', '.join(self.operands)}")
+ +1187 def __str__(self) -> str:
+1188 return f"{self.address:#10x} {self.location:16} {self.mnemonic:6} {', '.join(self.operands)}"
+ +1190 def is_valid(self) -> bool:
+1191 return "(bad)" not in self.mnemonic
+ +1193 def size(self) -> int:
+1194 return len(self.opcodes)
+ +1196 def next(self) -> "Instruction":
+1197 address = self.address + self.size()
+1198 return gef_get_instruction_at(address)
+ + +1201@deprecated("Use GefHeapManager.find_main_arena_addr()")
+1202def search_for_main_arena() -> int:
+1203 return GefHeapManager.find_main_arena_addr()
+ +1205class GlibcHeapInfo:
+1206 """Glibc heap_info struct"""
+ +1208 @staticmethod
+1209 def heap_info_t() -> Type[ctypes.Structure]:
+1210 assert gef.libc.version
+1211 class heap_info_cls(ctypes.Structure):
+1212 pass
+1213 pointer = ctypes.c_uint64 if gef.arch.ptrsize == 8 else ctypes.c_uint32
+1214 pad_size = -5 * gef.arch.ptrsize & (gef.heap.malloc_alignment - 1)
+1215 fields = [
+1216 ("ar_ptr", ctypes.POINTER(GlibcArena.malloc_state_t())),
+1217 ("prev", ctypes.POINTER(heap_info_cls)),
+1218 ("size", pointer)
+1219 ]
+1220 if gef.libc.version >= (2, 5): 1220 ↛ 1225line 1220 didn't jump to line 1225, because the condition on line 1220 was never false
+1221 fields += [
+1222 ("mprotect_size", pointer)
+1223 ]
+1224 pad_size = -6 * gef.arch.ptrsize & (gef.heap.malloc_alignment - 1)
+1225 if gef.libc.version >= (2, 34): 1225 ↛ 1230line 1225 didn't jump to line 1230, because the condition on line 1225 was never false
+1226 fields += [
+1227 ("pagesize", pointer)
+1228 ]
+1229 pad_size = -3 * gef.arch.ptrsize & (gef.heap.malloc_alignment - 1)
+1230 fields += [
+1231 ("pad", ctypes.c_uint8*pad_size)
+1232 ]
+1233 heap_info_cls._fields_ = fields
+1234 return heap_info_cls
+ +1236 def __init__(self, addr: Union[str, int]) -> None:
+1237 self.__address : int = parse_address(f"&{addr}") if isinstance(addr, str) else addr
+1238 self.reset()
+1239 return
+ +1241 def reset(self):
+1242 self._sizeof = ctypes.sizeof(GlibcHeapInfo.heap_info_t())
+1243 self._data = gef.memory.read(self.__address, ctypes.sizeof(GlibcHeapInfo.heap_info_t()))
+1244 self._heap_info = GlibcHeapInfo.heap_info_t().from_buffer_copy(self._data)
+1245 return
+ +1247 def __getattr__(self, item: Any) -> Any:
+1248 if item in dir(self._heap_info): 1248 ↛ 1250line 1248 didn't jump to line 1250, because the condition on line 1248 was never false
+1249 return ctypes.cast(getattr(self._heap_info, item), ctypes.c_void_p).value
+1250 return getattr(self, item)
+ +1252 def __abs__(self) -> int:
+1253 return self.__address
+ +1255 def __int__(self) -> int:
+1256 return self.__address
+ +1258 @property
+1259 def address(self) -> int:
+1260 return self.__address
+ +1262 @property
+1263 def sizeof(self) -> int:
+1264 return self._sizeof
+ +1266 @property
+1267 def addr(self) -> int:
+1268 return int(self)
+ +1270 @property
+1271 def heap_start(self) -> int:
+1272 # check special case: first heap of non-main-arena
+1273 if self.ar_ptr - self.address < 0x60: 1273 ↛ 1285line 1273 didn't jump to line 1285, because the condition on line 1273 was never false
+1274 # the first heap of a non-main-arena starts with a `heap_info`
+1275 # struct, which should fit easily into 0x60 bytes throughout
+1276 # all architectures and glibc versions. If this check succeeds
+1277 # then we are currently looking at such a "first heap"
+1278 arena = GlibcArena(f"*{self.ar_ptr:#x}")
+1279 heap_addr = arena.heap_addr()
+1280 if heap_addr: 1280 ↛ 1283line 1280 didn't jump to line 1283, because the condition on line 1280 was never false
+1281 return heap_addr
+1282 else:
+1283 err(f"Cannot find heap address for arena {self.ar_ptr:#x}")
+1284 return 0
+1285 return self.address + self.sizeof
+ +1287 @property
+1288 def heap_end(self) -> int:
+1289 return self.address + self.size
+ + +1292class GlibcArena:
+1293 """Glibc arena class"""
+ +1295 NFASTBINS = 10
+1296 NBINS = 128
+1297 NSMALLBINS = 64
+1298 BINMAPSHIFT = 5
+1299 BITSPERMAP = 1 << BINMAPSHIFT
+1300 BINMAPSIZE = NBINS // BITSPERMAP
+ +1302 @staticmethod
+1303 def malloc_state_t() -> Type[ctypes.Structure]:
+1304 pointer = ctypes.c_uint64 if gef and gef.arch.ptrsize == 8 else ctypes.c_uint32
+1305 fields = [
+1306 ("mutex", ctypes.c_uint32),
+1307 ("flags", ctypes.c_uint32),
+1308 ]
+1309 if gef and gef.libc.version and gef.libc.version >= (2, 27): 1309 ↛ 1315line 1309 didn't jump to line 1315, because the condition on line 1309 was never false
+1310 # https://elixir.bootlin.com/glibc/glibc-2.27/source/malloc/malloc.c#L1684
+1311 fields += [
+1312 ("have_fastchunks", ctypes.c_uint32),
+1313 ("UNUSED_c", ctypes.c_uint32), # padding to align to 0x10
+1314 ]
+1315 fields += [
+1316 ("fastbinsY", GlibcArena.NFASTBINS * pointer),
+1317 ("top", pointer),
+1318 ("last_remainder", pointer),
+1319 ("bins", (GlibcArena.NBINS * 2 - 2) * pointer),
+1320 ("binmap", GlibcArena.BINMAPSIZE * ctypes.c_uint32),
+1321 ("next", pointer),
+1322 ("next_free", pointer)
+1323 ]
+1324 if gef and gef.libc.version and gef.libc.version >= (2, 23): 1324 ↛ 1329line 1324 didn't jump to line 1329, because the condition on line 1324 was never false
+1325 # https://elixir.bootlin.com/glibc/glibc-2.23/source/malloc/malloc.c#L1719
+1326 fields += [
+1327 ("attached_threads", pointer)
+1328 ]
+1329 fields += [
+1330 ("system_mem", pointer),
+1331 ("max_system_mem", pointer),
+1332 ]
+1333 class malloc_state_cls(ctypes.Structure):
+1334 _fields_ = fields
+1335 return malloc_state_cls
+ +1337 def __init__(self, addr: str) -> None:
+1338 try:
+1339 self.__address : int = parse_address(f"&{addr}")
+1340 except gdb.error:
+1341 self.__address : int = GefHeapManager.find_main_arena_addr()
+1342 # if `find_main_arena_addr` throws `gdb.error` on symbol lookup:
+1343 # it means the session is not started, so just propagate the exception
+1344 self.reset()
+1345 return
+ +1347 def reset(self):
+1348 self._sizeof = ctypes.sizeof(GlibcArena.malloc_state_t())
+1349 self._data = gef.memory.read(self.__address, ctypes.sizeof(GlibcArena.malloc_state_t()))
+1350 self.__arena = GlibcArena.malloc_state_t().from_buffer_copy(self._data)
+1351 return
+ +1353 def __abs__(self) -> int:
+1354 return self.__address
+ +1356 def __int__(self) -> int:
+1357 return self.__address
+ +1359 def __iter__(self) -> Generator["GlibcArena", None, None]:
+1360 main_arena = int(gef.heap.main_arena)
+ +1362 current_arena = self
+1363 yield current_arena
+ +1365 while True:
+1366 if current_arena.next == 0 or current_arena.next == main_arena:
+1367 break
+ +1369 current_arena = GlibcArena(f"*{current_arena.next:#x} ")
+1370 yield current_arena
+1371 return
+ +1373 def __eq__(self, other: "GlibcArena") -> bool:
+1374 return self.__address == int(other)
+ +1376 def __str__(self) -> str:
+1377 properties = f"base={self.__address:#x}, top={self.top:#x}, " \
+1378 f"last_remainder={self.last_remainder:#x}, next={self.next:#x}"
+1379 return (f"{Color.colorify('Arena', 'blue bold underline')}({properties})")
+ +1381 def __repr__(self) -> str:
+1382 return f"GlibcArena(address={self.__address:#x}, size={self._sizeof})"
+ +1384 @property
+1385 def address(self) -> int:
+1386 return self.__address
+ +1388 @property
+1389 def sizeof(self) -> int:
+1390 return self._sizeof
+ +1392 @property
+1393 def addr(self) -> int:
+1394 return int(self)
+ +1396 @property
+1397 def top(self) -> int:
+1398 return self.__arena.top
+ +1400 @property
+1401 def last_remainder(self) -> int:
+1402 return self.__arena.last_remainder
+ +1404 @property
+1405 def fastbinsY(self) -> ctypes.Array:
+1406 return self.__arena.fastbinsY
+ +1408 @property
+1409 def bins(self) -> ctypes.Array:
+1410 return self.__arena.bins
+ +1412 @property
+1413 def binmap(self) -> ctypes.Array:
+1414 return self.__arena.binmap
+ +1416 @property
+1417 def next(self) -> int:
+1418 return self.__arena.next
+ +1420 @property
+1421 def next_free(self) -> int:
+1422 return self.__arena.next_free
+ +1424 @property
+1425 def attached_threads(self) -> int:
+1426 return self.__arena.attached_threads
+ +1428 @property
+1429 def system_mem(self) -> int:
+1430 return self.__arena.system_mem
+ +1432 @property
+1433 def max_system_mem(self) -> int:
+1434 return self.__arena.max_system_mem
+ +1436 def fastbin(self, i: int) -> Optional["GlibcFastChunk"]:
+1437 """Return head chunk in fastbinsY[i]."""
+1438 addr = int(self.fastbinsY[i])
+1439 if addr == 0:
+1440 return None
+1441 return GlibcFastChunk(addr + 2 * gef.arch.ptrsize)
+ +1443 def bin(self, i: int) -> Tuple[int, int]:
+1444 idx = i * 2
+1445 fd = int(self.bins[idx])
+1446 bk = int(self.bins[idx + 1])
+1447 return fd, bk
+ +1449 def bin_at(self, i) -> int:
+1450 header_sz = 2 * gef.arch.ptrsize
+1451 offset = ctypes.addressof(self.__arena.bins) - ctypes.addressof(self.__arena)
+1452 return self.__address + offset + (i-1) * 2 * gef.arch.ptrsize + header_sz
+ +1454 def is_main_arena(self) -> bool:
+1455 return gef.heap.main_arena is not None and int(self) == int(gef.heap.main_arena)
+ +1457 def heap_addr(self, allow_unaligned: bool = False) -> Optional[int]:
+1458 if self.is_main_arena():
+1459 heap_section = gef.heap.base_address
+1460 if not heap_section: 1460 ↛ 1461line 1460 didn't jump to line 1461, because the condition on line 1460 was never true
+1461 return None
+1462 return heap_section
+1463 _addr = int(self) + self.sizeof
+1464 if allow_unaligned: 1464 ↛ 1465line 1464 didn't jump to line 1465, because the condition on line 1464 was never true
+1465 return _addr
+1466 return gef.heap.malloc_align_address(_addr)
+ +1468 def get_heap_info_list(self) -> Optional[List[GlibcHeapInfo]]:
+1469 if self.is_main_arena(): 1469 ↛ 1470line 1469 didn't jump to line 1470, because the condition on line 1469 was never true
+1470 return None
+1471 heap_addr = self.get_heap_for_ptr(self.top)
+1472 heap_infos = [GlibcHeapInfo(heap_addr)]
+1473 while heap_infos[-1].prev is not None: 1473 ↛ 1474line 1473 didn't jump to line 1474, because the condition on line 1473 was never true
+1474 prev = int(heap_infos[-1].prev)
+1475 heap_info = GlibcHeapInfo(prev)
+1476 heap_infos.append(heap_info)
+1477 return heap_infos[::-1]
+ +1479 @staticmethod
+1480 def get_heap_for_ptr(ptr: int) -> int:
+1481 """Find the corresponding heap for a given pointer (int).
+1482 See https://github.com/bminor/glibc/blob/glibc-2.34/malloc/arena.c#L129"""
+1483 if is_32bit(): 1483 ↛ 1484line 1483 didn't jump to line 1484, because the condition on line 1483 was never true
+1484 default_mmap_threshold_max = 512 * 1024
+1485 else: # 64bit
+1486 default_mmap_threshold_max = 4 * 1024 * 1024 * cached_lookup_type("long").sizeof
+1487 heap_max_size = 2 * default_mmap_threshold_max
+1488 return ptr & ~(heap_max_size - 1)
+ +1490 @staticmethod
+1491 def verify(addr: int) -> bool:
+1492 """Verify that the address matches a possible valid GlibcArena"""
+1493 try:
+1494 test_arena = GlibcArena(f"*{addr:#x}")
+1495 cur_arena = GlibcArena(f"*{test_arena.next:#x}")
+1496 while cur_arena != test_arena:
+1497 if cur_arena == 0:
+1498 return False
+1499 cur_arena = GlibcArena(f"*{cur_arena.next:#x}")
+1500 except Exception as e:
+1501 return False
+1502 return True
+ + +1505class GlibcChunk:
+1506 """Glibc chunk class. The default behavior (from_base=False) is to interpret the data starting at the memory
+1507 address pointed to as the chunk data. Setting from_base to True instead treats that data as the chunk header.
+1508 Ref: https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/."""
+ +1510 class ChunkFlags(enum.IntFlag):
+1511 PREV_INUSE = 1
+1512 IS_MMAPPED = 2
+1513 NON_MAIN_ARENA = 4
+ +1515 def __str__(self) -> str:
+1516 return f" | ".join([
+1517 Color.greenify("PREV_INUSE") if self.value & self.PREV_INUSE else Color.redify("PREV_INUSE"),
+1518 Color.greenify("IS_MMAPPED") if self.value & self.IS_MMAPPED else Color.redify("IS_MMAPPED"),
+1519 Color.greenify("NON_MAIN_ARENA") if self.value & self.NON_MAIN_ARENA else Color.redify("NON_MAIN_ARENA")
+1520 ])
+ +1522 @staticmethod
+1523 def malloc_chunk_t() -> Type[ctypes.Structure]:
+1524 pointer = ctypes.c_uint64 if gef and gef.arch.ptrsize == 8 else ctypes.c_uint32
+1525 class malloc_chunk_cls(ctypes.Structure):
+1526 pass
+ +1528 malloc_chunk_cls._fields_ = [
+1529 ("prev_size", pointer),
+1530 ("size", pointer),
+1531 ("fd", pointer),
+1532 ("bk", pointer),
+1533 ("fd_nextsize", ctypes.POINTER(malloc_chunk_cls)),
+1534 ("bk_nextsize", ctypes.POINTER(malloc_chunk_cls)),
+1535 ]
+1536 return malloc_chunk_cls
+ +1538 def __init__(self, addr: int, from_base: bool = False, allow_unaligned: bool = True) -> None:
+1539 ptrsize = gef.arch.ptrsize
+1540 self.data_address = addr + 2 * ptrsize if from_base else addr
+1541 self.base_address = addr if from_base else addr - 2 * ptrsize
+1542 if not allow_unaligned:
+1543 self.data_address = gef.heap.malloc_align_address(self.data_address)
+1544 self.size_addr = int(self.data_address - ptrsize)
+1545 self.prev_size_addr = self.base_address
+1546 self.reset()
+1547 return
+ +1549 def reset(self):
+1550 self._sizeof = ctypes.sizeof(GlibcChunk.malloc_chunk_t())
+1551 self._data = gef.memory.read(
+1552 self.base_address, ctypes.sizeof(GlibcChunk.malloc_chunk_t()))
+1553 self._chunk = GlibcChunk.malloc_chunk_t().from_buffer_copy(self._data)
+1554 return
+ +1556 @property
+1557 def prev_size(self) -> int:
+1558 return self._chunk.prev_size
+ +1560 @property
+1561 def size(self) -> int:
+1562 return self._chunk.size & (~0x07)
+ +1564 @property
+1565 def flags(self) -> ChunkFlags:
+1566 return GlibcChunk.ChunkFlags(self._chunk.size & 0x07)
+ +1568 @property
+1569 def fd(self) -> int:
+1570 return self._chunk.fd
+ +1572 @property
+1573 def bk(self) -> int:
+1574 return self._chunk.bk
+ +1576 @property
+1577 def fd_nextsize(self) -> int:
+1578 return self._chunk.fd_nextsize
+ +1580 @property
+1581 def bk_nextsize(self) -> int:
+1582 return self._chunk.bk_nextsize
+ +1584 def get_usable_size(self) -> int:
+1585 # https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L4537
+1586 ptrsz = gef.arch.ptrsize
+1587 cursz = self.size
+1588 if cursz == 0: return cursz 1588 ↛ exitline 1588 didn't return from function 'get_usable_size', because the return on line 1588 wasn't executed
+1589 if self.has_m_bit(): return cursz - 2 * ptrsz 1589 ↛ exitline 1589 didn't return from function 'get_usable_size', because the return on line 1589 wasn't executed
+1590 return cursz - ptrsz
+ +1592 @property
+1593 def usable_size(self) -> int:
+1594 return self.get_usable_size()
+ +1596 def get_prev_chunk_size(self) -> int:
+1597 return gef.memory.read_integer(self.prev_size_addr)
+ +1599 def __iter__(self) -> Generator["GlibcChunk", None, None]:
+1600 current_chunk = self
+1601 top = gef.heap.main_arena.top
+ +1603 while True:
+1604 yield current_chunk
+ +1606 if current_chunk.base_address == top: 1606 ↛ 1607line 1606 didn't jump to line 1607, because the condition on line 1606 was never true
+1607 break
+ +1609 if current_chunk.size == 0: 1609 ↛ 1610line 1609 didn't jump to line 1610, because the condition on line 1609 was never true
+1610 break
+ +1612 next_chunk_addr = current_chunk.get_next_chunk_addr()
+ +1614 if not Address(value=next_chunk_addr).valid: 1614 ↛ 1615line 1614 didn't jump to line 1615, because the condition on line 1614 was never true
+1615 break
+ +1617 next_chunk = current_chunk.get_next_chunk()
+1618 if next_chunk is None: 1618 ↛ 1619line 1618 didn't jump to line 1619, because the condition on line 1618 was never true
+1619 break
+ +1621 current_chunk = next_chunk
+1622 return
+ +1624 def get_next_chunk(self, allow_unaligned: bool = False) -> "GlibcChunk":
+1625 addr = self.get_next_chunk_addr()
+1626 return GlibcChunk(addr, allow_unaligned=allow_unaligned)
+ +1628 def get_next_chunk_addr(self) -> int:
+1629 return self.data_address + self.size
+ +1631 def has_p_bit(self) -> bool:
+1632 return bool(self.flags & GlibcChunk.ChunkFlags.PREV_INUSE)
+ +1634 def has_m_bit(self) -> bool:
+1635 return bool(self.flags & GlibcChunk.ChunkFlags.IS_MMAPPED)
+ +1637 def has_n_bit(self) -> bool:
+1638 return bool(self.flags & GlibcChunk.ChunkFlags.NON_MAIN_ARENA)
+ +1640 def is_used(self) -> bool:
+1641 """Check if the current block is used by:
+1642 - checking the M bit is true
+1643 - or checking that next chunk PREV_INUSE flag is true"""
+1644 if self.has_m_bit(): 1644 ↛ 1645line 1644 didn't jump to line 1645, because the condition on line 1644 was never true
+1645 return True
+ +1647 next_chunk = self.get_next_chunk()
+1648 return True if next_chunk.has_p_bit() else False
+ +1650 def __str_sizes(self) -> str:
+1651 msg = []
+1652 failed = False
+ +1654 try:
+1655 msg.append("Chunk size: {0:d} ({0:#x})".format(self.size))
+1656 msg.append("Usable size: {0:d} ({0:#x})".format(self.usable_size))
+1657 failed = True
+1658 except gdb.MemoryError:
+1659 msg.append(f"Chunk size: Cannot read at {self.size_addr:#x} (corrupted?)")
+ +1661 try:
+1662 msg.append("Previous chunk size: {0:d} ({0:#x})".format(self.get_prev_chunk_size()))
+1663 failed = True
+1664 except gdb.MemoryError:
+1665 msg.append(f"Previous chunk size: Cannot read at {self.base_address:#x} (corrupted?)")
+ +1667 if failed: 1667 ↛ 1670line 1667 didn't jump to line 1670, because the condition on line 1667 was never false
+1668 msg.append(str(self.flags))
+ +1670 return "\n".join(msg)
+ +1672 def _str_pointers(self) -> str:
+1673 fwd = self.data_address
+1674 bkw = self.data_address + gef.arch.ptrsize
+ +1676 msg = []
+1677 try:
+1678 msg.append(f"Forward pointer: {self.fd:#x}")
+1679 except gdb.MemoryError:
+1680 msg.append(f"Forward pointer: {fwd:#x} (corrupted?)")
+ +1682 try:
+1683 msg.append(f"Backward pointer: {self.bk:#x}")
+1684 except gdb.MemoryError:
+1685 msg.append(f"Backward pointer: {bkw:#x} (corrupted?)")
+ +1687 return "\n".join(msg)
+ +1689 def __str__(self) -> str:
+1690 return (f"{Color.colorify('Chunk', 'yellow bold underline')}(addr={self.data_address:#x}, "
+1691 f"size={self.size:#x}, flags={self.flags!s})")
+ +1693 def psprint(self) -> str:
+1694 msg = [
+1695 str(self),
+1696 self.__str_sizes(),
+1697 ]
+1698 if not self.is_used(): 1698 ↛ 1699line 1698 didn't jump to line 1699, because the condition on line 1698 was never true
+1699 msg.append(f"\n\n{self._str_pointers()}")
+1700 return "\n".join(msg) + "\n"
+ + +1703class GlibcFastChunk(GlibcChunk):
+ +1705 @property
+1706 def fd(self) -> int:
+1707 assert(gef and gef.libc.version)
+1708 if gef.libc.version < (2, 32): 1708 ↛ 1709line 1708 didn't jump to line 1709, because the condition on line 1708 was never true
+1709 return self._chunk.fd
+1710 return self.reveal_ptr(self.data_address)
+ +1712 def protect_ptr(self, pos: int, pointer: int) -> int:
+1713 """https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L339"""
+1714 assert(gef and gef.libc.version)
+1715 if gef.libc.version < (2, 32):
+1716 return pointer
+1717 return (pos >> 12) ^ pointer
+ +1719 def reveal_ptr(self, pointer: int) -> int:
+1720 """https://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L341"""
+1721 assert(gef and gef.libc.version)
+1722 if gef.libc.version < (2, 32): 1722 ↛ 1723line 1722 didn't jump to line 1723, because the condition on line 1722 was never true
+1723 return pointer
+1724 return gef.memory.read_integer(pointer) ^ (pointer >> 12)
+ +1726class GlibcTcacheChunk(GlibcFastChunk):
+ +1728 pass
+ +1730@deprecated("Use GefLibcManager.find_libc_version()")
+1731def get_libc_version() -> Tuple[int, ...]:
+1732 return GefLibcManager.find_libc_version()
+ +1734def titlify(text: str, color: Optional[str] = None, msg_color: Optional[str] = None) -> str:
+1735 """Print a centered title."""
+1736 _, cols = get_terminal_size()
+1737 nb = (cols - len(text) - 2) // 2
+1738 line_color = color or gef.config["theme.default_title_line"]
+1739 text_color = msg_color or gef.config["theme.default_title_message"]
+ +1741 msg = [Color.colorify(f"{HORIZONTAL_LINE * nb} ", line_color),
+1742 Color.colorify(text, text_color),
+1743 Color.colorify(f" {HORIZONTAL_LINE * nb}", line_color)]
+1744 return "".join(msg)
+ + +1747def dbg(msg: str) -> None:
+1748 if gef.config["gef.debug"] is True: 1748 ↛ 1750line 1748 didn't jump to line 1750, because the condition on line 1748 was never false
+1749 gef_print(f"{Color.colorify('[=]', 'bold cyan')} {msg}")
+1750 return
+ + +1753def err(msg: str) -> None:
+1754 gef_print(f"{Color.colorify('[!]', 'bold red')} {msg}")
+1755 return
+ + +1758def warn(msg: str) -> None:
+1759 gef_print(f"{Color.colorify('[*]', 'bold yellow')} {msg}")
+1760 return
+ + +1763def ok(msg: str) -> None:
+1764 gef_print(f"{Color.colorify('[+]', 'bold green')} {msg}")
+1765 return
+ + +1768def info(msg: str) -> None:
+1769 gef_print(f"{Color.colorify('[+]', 'bold blue')} {msg}")
+1770 return
+ + +1773def push_context_message(level: str, message: str) -> None:
+1774 """Push the message to be displayed the next time the context is invoked."""
+1775 if level not in ("error", "warn", "ok", "info"): 1775 ↛ 1776line 1775 didn't jump to line 1776, because the condition on line 1775 was never true
+1776 err(f"Invalid level '{level}', discarding message")
+1777 return
+1778 gef.ui.context_messages.append((level, message))
+1779 return
+ + +1782def show_last_exception() -> None:
+1783 """Display the last Python exception."""
+ +1785 def _show_code_line(fname: str, idx: int) -> str:
+1786 fname = os.path.expanduser(os.path.expandvars(fname))
+1787 with open(fname, "r") as f:
+1788 _data = f.readlines()
+1789 return _data[idx - 1] if 0 < idx < len(_data) else ""
+ +1791 gef_print("")
+1792 exc_type, exc_value, exc_traceback = sys.exc_info()
+ +1794 gef_print(" Exception raised ".center(80, HORIZONTAL_LINE))
+1795 gef_print(f"{Color.colorify(exc_type.__name__, 'bold underline red')}: {exc_value}")
+1796 gef_print(" Detailed stacktrace ".center(80, HORIZONTAL_LINE))
+ +1798 for fs in traceback.extract_tb(exc_traceback)[::-1]:
+1799 filename, lineno, method, code = fs
+ +1801 if not code or not code.strip(): 1801 ↛ 1802line 1801 didn't jump to line 1802, because the condition on line 1801 was never true
+1802 code = _show_code_line(filename, lineno)
+ +1804 gef_print(f"""{DOWN_ARROW} File "{Color.yellowify(filename)}", line {lineno:d}, in {Color.greenify(method)}()""")
+1805 gef_print(f" {RIGHT_ARROW} {code}")
+ +1807 gef_print(" Version ".center(80, HORIZONTAL_LINE))
+1808 gdb.execute("version full")
+1809 gef_print(" Last 10 GDB commands ".center(80, HORIZONTAL_LINE))
+1810 gdb.execute("show commands")
+1811 gef_print(" Runtime environment ".center(80, HORIZONTAL_LINE))
+1812 gef_print(f"* GDB: {gdb.VERSION}")
+1813 gef_print(f"* Python: {sys.version_info.major:d}.{sys.version_info.minor:d}.{sys.version_info.micro:d} - {sys.version_info.releaselevel}")
+1814 gef_print(f"* OS: {platform.system()} - {platform.release()} ({platform.machine()})")
+ +1816 try:
+1817 lsb_release = which("lsb_release")
+1818 gdb.execute(f"!{lsb_release} -a")
+1819 except FileNotFoundError:
+1820 gef_print("lsb_release is missing, cannot collect additional debug information")
+ +1822 gef_print(HORIZONTAL_LINE*80)
+1823 gef_print("")
+1824 return
+ + +1827def gef_pystring(x: bytes) -> str:
+1828 """Returns a sanitized version as string of the bytes list given in input."""
+1829 res = str(x, encoding="utf-8")
+1830 substs = [("\n", "\\n"), ("\r", "\\r"), ("\t", "\\t"), ("\v", "\\v"), ("\b", "\\b"), ]
+1831 for x, y in substs: res = res.replace(x, y)
+1832 return res
+ + +1835def gef_pybytes(x: str) -> bytes:
+1836 """Returns an immutable bytes list from the string given as input."""
+1837 return bytes(str(x), encoding="utf-8")
+ + +1840@lru_cache()
+1841def which(program: str) -> pathlib.Path:
+1842 """Locate a command on the filesystem."""
+1843 for path in os.environ["PATH"].split(os.pathsep):
+1844 dirname = pathlib.Path(path)
+1845 fpath = dirname / program
+1846 if os.access(fpath, os.X_OK):
+1847 return fpath
+ +1849 raise FileNotFoundError(f"Missing file `{program}`")
+ + +1852def style_byte(b: int, color: bool = True) -> str:
+1853 style = {
+1854 "nonprintable": "yellow",
+1855 "printable": "white",
+1856 "00": "gray",
+1857 "0a": "blue",
+1858 "ff": "green",
+1859 }
+1860 sbyte = f"{b:02x}"
+1861 if not color or gef.config["highlight.regex"]:
+1862 return sbyte
+ +1864 if sbyte in style:
+1865 st = style[sbyte]
+1866 elif chr(b) in (string.ascii_letters + string.digits + string.punctuation + " "):
+1867 st = style.get("printable")
+1868 else:
+1869 st = style.get("nonprintable")
+1870 if st: 1870 ↛ 1872line 1870 didn't jump to line 1872, because the condition on line 1870 was never false
+1871 sbyte = Color.colorify(sbyte, st)
+1872 return sbyte
+ + +1875def hexdump(source: ByteString, length: int = 0x10, separator: str = ".", show_raw: bool = False, show_symbol: bool = True, base: int = 0x00) -> str:
+1876 """Return the hexdump of `src` argument.
+1877 @param source *MUST* be of type bytes or bytearray
+1878 @param length is the length of items per line
+1879 @param separator is the default character to use if one byte is not printable
+1880 @param show_raw if True, do not add the line nor the text translation
+1881 @param base is the start address of the block being hexdump
+1882 @return a string with the hexdump"""
+1883 result = []
+1884 align = gef.arch.ptrsize * 2 + 2 if is_alive() else 18
+ +1886 for i in range(0, len(source), length):
+1887 chunk = bytearray(source[i : i + length])
+1888 hexa = " ".join([style_byte(b, color=not show_raw) for b in chunk])
+ +1890 if show_raw:
+1891 result.append(hexa)
+1892 continue
+ +1894 text = "".join([chr(b) if 0x20 <= b < 0x7F else separator for b in chunk])
+1895 if show_symbol: 1895 ↛ 1899line 1895 didn't jump to line 1899, because the condition on line 1895 was never false
+1896 sym = gdb_get_location_from_symbol(base + i)
+1897 sym = "<{:s}+{:04x}>".format(*sym) if sym else ""
+1898 else:
+1899 sym = ""
+ +1901 result.append(f"{base + i:#0{align}x} {sym} {hexa:<{3 * length}} {text}")
+1902 return "\n".join(result)
+ + +1905def is_debug() -> bool:
+1906 """Check if debug mode is enabled."""
+1907 return gef.config["gef.debug"] is True
+ + +1910def buffer_output() -> bool:
+1911 """Check if output should be buffered until command completion."""
+1912 return gef.config["gef.buffer"] is True
+ + +1915def hide_context() -> bool:
+1916 """Helper function to hide the context pane."""
+1917 gef.ui.context_hidden = True
+1918 return True
+ + +1921def unhide_context() -> bool:
+1922 """Helper function to unhide the context pane."""
+1923 gef.ui.context_hidden = False
+1924 return True
+ + +1927class DisableContextOutputContext:
+1928 def __enter__(self) -> None:
+1929 hide_context()
+1930 return
+ +1932 def __exit__(self, *exc: Any) -> None:
+1933 unhide_context()
+1934 return
+ + +1937class RedirectOutputContext:
+1938 def __init__(self, to: str = "/dev/null") -> None:
+1939 self.redirection_target_file = to
+1940 return
+ +1942 def __enter__(self) -> None:
+1943 """Redirect all GDB output to `to_file` parameter. By default, `to_file` redirects to `/dev/null`."""
+1944 gdb.execute("set logging overwrite")
+1945 gdb.execute(f"set logging file {self.redirection_target_file}")
+1946 gdb.execute("set logging redirect on")
+1947 gdb.execute("set logging on")
+1948 return
+ +1950 def __exit__(self, *exc: Any) -> None:
+1951 """Disable the output redirection, if any."""
+1952 gdb.execute("set logging off")
+1953 gdb.execute("set logging redirect off")
+1954 return
+ + +1957def enable_redirect_output(to_file: str = "/dev/null") -> None:
+1958 """Redirect all GDB output to `to_file` parameter. By default, `to_file` redirects to `/dev/null`."""
+1959 gdb.execute("set logging overwrite")
+1960 gdb.execute(f"set logging file {to_file}")
+1961 gdb.execute("set logging redirect on")
+1962 gdb.execute("set logging on")
+1963 return
+ + +1966def disable_redirect_output() -> None:
+1967 """Disable the output redirection, if any."""
+1968 gdb.execute("set logging off")
+1969 gdb.execute("set logging redirect off")
+1970 return
+ + +1973def gef_makedirs(path: str, mode: int = 0o755) -> pathlib.Path:
+1974 """Recursive mkdir() creation. If successful, return the absolute path of the directory created."""
+1975 fpath = pathlib.Path(path)
+1976 if not fpath.is_dir():
+1977 fpath.mkdir(mode=mode, exist_ok=True, parents=True)
+1978 return fpath.absolute()
+ + +1981@lru_cache()
+1982def gdb_lookup_symbol(sym: str) -> Optional[Tuple[Optional[str], Optional[Tuple[gdb.Symtab_and_line, ...]]]]:
+1983 """Fetch the proper symbol or None if not defined."""
+1984 try:
+1985 return gdb.decode_line(sym)[1]
+1986 except gdb.error:
+1987 return None
+ + +1990@lru_cache(maxsize=512)
+1991def gdb_get_location_from_symbol(address: int) -> Optional[Tuple[str, int]]:
+1992 """Retrieve the location of the `address` argument from the symbol table.
+1993 Return a tuple with the name and offset if found, None otherwise."""
+1994 # this is horrible, ugly hack and shitty perf...
+1995 # find a *clean* way to get gdb.Location from an address
+1996 sym = str(gdb.execute(f"info symbol {address:#x}", to_string=True))
+1997 if sym.startswith("No symbol matches"):
+1998 return None
+ +2000 i = sym.find(" in section ")
+2001 sym = sym[:i].split()
+2002 name, offset = sym[0], 0
+2003 if len(sym) == 3 and sym[2].isdigit():
+2004 offset = int(sym[2])
+2005 return name, offset
+ + +2008def gdb_disassemble(start_pc: int, **kwargs: int) -> Generator[Instruction, None, None]:
+2009 """Disassemble instructions from `start_pc` (Integer). Accepts the following named
+2010 parameters:
+2011 - `end_pc` (Integer) only instructions whose start address fall in the interval from
+2012 start_pc to end_pc are returned.
+2013 - `count` (Integer) list at most this many disassembled instructions
+2014 If `end_pc` and `count` are not provided, the function will behave as if `count=1`.
+2015 Return an iterator of Instruction objects
+2016 """
+2017 frame = gdb.selected_frame()
+2018 arch = frame.architecture()
+ +2020 for insn in arch.disassemble(start_pc, **kwargs):
+2021 assert isinstance(insn["addr"], int)
+2022 assert isinstance(insn["length"], int)
+2023 assert isinstance(insn["asm"], str)
+2024 address = insn["addr"]
+2025 asm = insn["asm"].rstrip().split(None, 1)
+2026 if len(asm) > 1:
+2027 mnemo, operands = asm
+2028 operands = operands.split(",")
+2029 else:
+2030 mnemo, operands = asm[0], []
+ +2032 loc = gdb_get_location_from_symbol(address)
+2033 location = "<{}+{}>".format(*loc) if loc else ""
+ +2035 opcodes = gef.memory.read(insn["addr"], insn["length"])
+ +2037 yield Instruction(address, location, mnemo, operands, opcodes)
+ + +2040def gdb_get_nth_previous_instruction_address(addr: int, n: int) -> Optional[int]:
+2041 """Return the address (Integer) of the `n`-th instruction before `addr`."""
+2042 # fixed-length ABI
+2043 if gef.arch.instruction_length: 2043 ↛ 2044line 2043 didn't jump to line 2044, because the condition on line 2043 was never true
+2044 return max(0, addr - n * gef.arch.instruction_length)
+ +2046 # variable-length ABI
+2047 cur_insn_addr = gef_current_instruction(addr).address
+ +2049 # we try to find a good set of previous instructions by "guessing" disassembling backwards
+2050 # the 15 comes from the longest instruction valid size
+2051 for i in range(15 * n, 0, -1): 2051 ↛ 2074line 2051 didn't jump to line 2074, because the loop on line 2051 didn't complete
+2052 try:
+2053 insns = list(gdb_disassemble(addr - i, end_pc=cur_insn_addr))
+2054 except gdb.MemoryError:
+2055 # this is because we can hit an unmapped page trying to read backward
+2056 break
+ +2058 # 1. check that the disassembled instructions list size can satisfy
+2059 if len(insns) < n + 1: # we expect the current instruction plus the n before it 2059 ↛ 2060line 2059 didn't jump to line 2060, because the condition on line 2059 was never true
+2060 continue
+ +2062 # If the list of instructions is longer than what we need, then we
+2063 # could get lucky and already have more than what we need, so slice down
+2064 insns = insns[-n - 1 :]
+ +2066 # 2. check that the sequence ends with the current address
+2067 if insns[-1].address != cur_insn_addr: 2067 ↛ 2068line 2067 didn't jump to line 2068, because the condition on line 2067 was never true
+2068 continue
+ +2070 # 3. check all instructions are valid
+2071 if all(insn.is_valid() for insn in insns): 2071 ↛ 2051line 2071 didn't jump to line 2051, because the condition on line 2071 was never false
+2072 return insns[0].address
+ +2074 return None
+ + +2077@deprecated(solution="Use `gef_instruction_n().address`")
+2078def gdb_get_nth_next_instruction_address(addr: int, n: int) -> int:
+2079 """Return the address of the `n`-th instruction after `addr`. """
+2080 return gef_instruction_n(addr, n).address
+ + +2083def gef_instruction_n(addr: int, n: int) -> Instruction:
+2084 """Return the `n`-th instruction after `addr` as an Instruction object. Note that `n` is treated as
+2085 an positive index, starting from 0 (current instruction address)"""
+2086 return list(gdb_disassemble(addr, count=n + 1))[n]
+ + +2089def gef_get_instruction_at(addr: int) -> Instruction:
+2090 """Return the full Instruction found at the specified address."""
+2091 insn = next(gef_disassemble(addr, 1))
+2092 return insn
+ + +2095def gef_current_instruction(addr: int) -> Instruction:
+2096 """Return the current instruction as an Instruction object."""
+2097 return gef_instruction_n(addr, 0)
+ + +2100def gef_next_instruction(addr: int) -> Instruction:
+2101 """Return the next instruction as an Instruction object."""
+2102 return gef_instruction_n(addr, 1)
+ + +2105def gef_disassemble(addr: int, nb_insn: int, nb_prev: int = 0) -> Generator[Instruction, None, None]:
+2106 """Disassemble `nb_insn` instructions after `addr` and `nb_prev` before `addr`.
+2107 Return an iterator of Instruction objects."""
+2108 nb_insn = max(1, nb_insn)
+ +2110 if nb_prev:
+2111 try:
+2112 start_addr = gdb_get_nth_previous_instruction_address(addr, nb_prev)
+2113 if start_addr:
+2114 for insn in gdb_disassemble(start_addr, count=nb_prev):
+2115 if insn.address == addr: break 2115 ↛ 2121line 2115 didn't jump to line 2121, because the break on line 2115 wasn't executed
+2116 yield insn
+2117 except gdb.MemoryError:
+2118 # If the address pointing to the previous instruction(s) is not mapped, simply skip them
+2119 pass
+ +2121 for insn in gdb_disassemble(addr, count=nb_insn):
+2122 yield insn
+ + +2125def gef_execute_external(command: Sequence[str], as_list: bool = False, **kwargs: Any) -> Union[str, List[str]]:
+2126 """Execute an external command and return the result."""
+2127 res = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=kwargs.get("shell", False))
+2128 return [gef_pystring(_) for _ in res.splitlines()] if as_list else gef_pystring(res)
+ + +2131def gef_execute_gdb_script(commands: str) -> None:
+2132 """Execute the parameter `source` as GDB command. This is done by writing `commands` to
+2133 a temporary file, which is then executed via GDB `source` command. The tempfile is then deleted."""
+2134 fd, fname = tempfile.mkstemp(suffix=".gdb", prefix="gef_")
+2135 with os.fdopen(fd, "w") as f:
+2136 f.write(commands)
+2137 f.flush()
+ +2139 fname = pathlib.Path(fname)
+2140 if fname.is_file() and os.access(fname, os.R_OK):
+2141 gdb.execute(f"source {fname}")
+2142 fname.unlink()
+2143 return
+ + +2146@deprecated("Use Elf(fname).checksec()")
+2147def checksec(filename: str) -> Dict[str, bool]:
+2148 return Elf(filename).checksec
+ + +2151@lru_cache()
+2152def get_arch() -> str:
+2153 """Return the binary's architecture."""
+2154 if is_alive():
+2155 arch = gdb.selected_frame().architecture()
+2156 return arch.name()
+ +2158 arch_str = gdb.execute("show architecture", to_string=True).strip()
+2159 pat = "The target architecture is set automatically (currently "
+2160 if arch_str.startswith(pat): 2160 ↛ 2161line 2160 didn't jump to line 2161, because the condition on line 2160 was never true
+2161 arch_str = arch_str[len(pat):].rstrip(")")
+2162 return arch_str
+ +2164 pat = "The target architecture is assumed to be "
+2165 if arch_str.startswith(pat): 2165 ↛ 2166line 2165 didn't jump to line 2166, because the condition on line 2165 was never true
+2166 return arch_str[len(pat):]
+ +2168 pat = "The target architecture is set to "
+2169 if arch_str.startswith(pat): 2169 ↛ 2176line 2169 didn't jump to line 2176, because the condition on line 2169 was never false
+2170 # GDB version >= 10.1
+2171 if '"auto"' in arch_str: 2171 ↛ 2173line 2171 didn't jump to line 2173, because the condition on line 2171 was never false
+2172 return re.findall(r"currently \"(.+)\"", arch_str)[0]
+2173 return re.findall(r"\"(.+)\"", arch_str)[0]
+ +2175 # Unknown, we throw an exception to be safe
+2176 raise RuntimeError(f"Unknown architecture: {arch_str}")
+ + +2179@deprecated("Use `gef.binary.entry_point` instead")
+2180def get_entry_point() -> Optional[int]:
+2181 """Return the binary entry point."""
+2182 return gef.binary.entry_point if gef.binary else None
+ + +2185def is_pie(fpath: str) -> bool:
+2186 return Elf(fpath).checksec["PIE"]
+ + +2189@deprecated("Prefer `gef.arch.endianness == Endianness.BIG_ENDIAN`")
+2190def is_big_endian() -> bool:
+2191 return gef.arch.endianness == Endianness.BIG_ENDIAN
+ + +2194@deprecated("gef.arch.endianness == Endianness.LITTLE_ENDIAN")
+2195def is_little_endian() -> bool:
+2196 return gef.arch.endianness == Endianness.LITTLE_ENDIAN
+ + +2199def flags_to_human(reg_value: int, value_table: Dict[int, str]) -> str:
+2200 """Return a human readable string showing the flag states."""
+2201 flags = []
+2202 for bit_index, name in value_table.items():
+2203 flags.append(Color.boldify(name.upper()) if reg_value & (1<<bit_index) != 0 else name.lower())
+2204 return f"[{' '.join(flags)}]"
+ + +2207@lru_cache()
+2208def get_section_base_address(name: str) -> Optional[int]:
+2209 section = process_lookup_path(name)
+2210 return section.page_start if section else None
+ + +2213@lru_cache()
+2214def get_zone_base_address(name: str) -> Optional[int]:
+2215 zone = file_lookup_name_path(name, get_filepath())
+2216 return zone.zone_start if zone else None
+ + +2219#
+2220# Architecture classes
+2221#
+2222@deprecated("Using the decorator `register_architecture` is unecessary")
+2223def register_architecture(cls: Type["Architecture"]) -> Type["Architecture"]:
+2224 return cls
+ +2226class ArchitectureBase:
+2227 """Class decorator for declaring an architecture to GEF."""
+2228 aliases: Union[Tuple[()], Tuple[Union[str, Elf.Abi], ...]] = ()
+ +2230 def __init_subclass__(cls: Type["ArchitectureBase"], **kwargs):
+2231 global __registered_architectures__
+2232 super().__init_subclass__(**kwargs)
+2233 for key in getattr(cls, "aliases"):
+2234 if issubclass(cls, Architecture): 2234 ↛ 2233line 2234 didn't jump to line 2233, because the condition on line 2234 was never false
+2235 __registered_architectures__[key] = cls
+2236 return
+ + +2239class Architecture(ArchitectureBase):
+2240 """Generic metaclass for the architecture supported by GEF."""
+ +2242 # Mandatory defined attributes by inheriting classes
+2243 arch: str
+2244 mode: str
+2245 all_registers: Union[Tuple[()], Tuple[str, ...]]
+2246 nop_insn: bytes
+2247 return_register: str
+2248 flag_register: Optional[str]
+2249 instruction_length: Optional[int]
+2250 flags_table: Dict[int, str]
+2251 syscall_register: Optional[str]
+2252 syscall_instructions: Union[Tuple[()], Tuple[str, ...]]
+2253 function_parameters: Union[Tuple[()], Tuple[str, ...]]
+ +2255 # Optionally defined attributes
+2256 _ptrsize: Optional[int] = None
+2257 _endianness: Optional[Endianness] = None
+2258 special_registers: Union[Tuple[()], Tuple[str, ...]] = ()
+ +2260 def __init_subclass__(cls, **kwargs):
+2261 super().__init_subclass__(**kwargs)
+2262 attributes = ("arch", "mode", "aliases", "all_registers", "nop_insn",
+2263 "return_register", "flag_register", "instruction_length", "flags_table",
+2264 "function_parameters",)
+2265 if not all(map(lambda x: hasattr(cls, x), attributes)): 2265 ↛ 2266line 2265 didn't jump to line 2266, because the condition on line 2265 was never true
+2266 raise NotImplementedError
+ +2268 def __str__(self) -> str:
+2269 return f"Architecture({self.arch}, {self.mode or 'None'}, {repr(self.endianness)})"
+ +2271 @staticmethod
+2272 def supports_gdb_arch(gdb_arch: str) -> Optional[bool]:
+2273 """If implemented by a child `Architecture`, this function dictates if the current class
+2274 supports the loaded ELF file (which can be accessed via `gef.binary`). This callback
+2275 function will override any assumption made by GEF to determine the architecture."""
+2276 return None
+ +2278 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+2279 raise NotImplementedError
+ +2281 def is_call(self, insn: Instruction) -> bool:
+2282 raise NotImplementedError
+ +2284 def is_ret(self, insn: Instruction) -> bool:
+2285 raise NotImplementedError
+ +2287 def is_conditional_branch(self, insn: Instruction) -> bool:
+2288 raise NotImplementedError
+ +2290 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+2291 raise NotImplementedError
+ +2293 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+2294 raise NotImplementedError
+ +2296 def canary_address(self) -> int:
+2297 raise NotImplementedError
+ +2299 @classmethod
+2300 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2301 raise NotImplementedError
+ +2303 def reset_caches(self) -> None:
+2304 self.__get_register_for_selected_frame.cache_clear()
+2305 return
+ +2307 def __get_register(self, regname: str) -> int:
+2308 """Return a register's value."""
+2309 curframe = gdb.selected_frame()
+2310 key = curframe.pc() ^ int(curframe.read_register('sp')) # todo: check when/if gdb.Frame implements `level()`
+2311 return self.__get_register_for_selected_frame(regname, key)
+ +2313 @lru_cache()
+2314 def __get_register_for_selected_frame(self, regname: str, hash_key: int) -> int:
+2315 # 1st chance
+2316 try:
+2317 return parse_address(regname)
+2318 except gdb.error:
+2319 pass
+ +2321 # 2nd chance - if an exception, propagate it
+2322 regname = regname.lstrip("$")
+2323 value = gdb.selected_frame().read_register(regname)
+2324 return int(value)
+ +2326 def register(self, name: str) -> int:
+2327 if not is_alive():
+2328 raise gdb.error("No debugging session active")
+2329 return self.__get_register(name)
+ +2331 @property
+2332 def registers(self) -> Generator[str, None, None]:
+2333 yield from self.all_registers
+ +2335 @property
+2336 def pc(self) -> int:
+2337 return self.register("$pc")
+ +2339 @property
+2340 def sp(self) -> int:
+2341 return self.register("$sp")
+ +2343 @property
+2344 def fp(self) -> int:
+2345 return self.register("$fp")
+ +2347 @property
+2348 def ptrsize(self) -> int:
+2349 if not self._ptrsize: 2349 ↛ 2350line 2349 didn't jump to line 2350, because the condition on line 2349 was never true
+2350 res = cached_lookup_type("size_t")
+2351 if res is not None:
+2352 self._ptrsize = res.sizeof
+2353 else:
+2354 self._ptrsize = gdb.parse_and_eval("$pc").type.sizeof
+2355 return self._ptrsize
+ +2357 @property
+2358 def endianness(self) -> Endianness:
+2359 if not self._endianness:
+2360 output = gdb.execute("show endian", to_string=True).strip().lower()
+2361 if "little endian" in output: 2361 ↛ 2363line 2361 didn't jump to line 2363, because the condition on line 2361 was never false
+2362 self._endianness = Endianness.LITTLE_ENDIAN
+2363 elif "big endian" in output:
+2364 self._endianness = Endianness.BIG_ENDIAN
+2365 else:
+2366 raise OSError(f"No valid endianess found in '{output}'")
+2367 return self._endianness
+ +2369 def get_ith_parameter(self, i: int, in_func: bool = True) -> Tuple[str, Optional[int]]:
+2370 """Retrieves the correct parameter used for the current function call."""
+2371 reg = self.function_parameters[i]
+2372 val = self.register(reg)
+2373 key = reg
+2374 return key, val
+ + +2377class GenericArchitecture(Architecture):
+2378 arch = "Generic"
+2379 mode = ""
+2380 aliases = ("GenericArchitecture",)
+2381 all_registers = ()
+2382 instruction_length = 0
+2383 return_register = ""
+2384 function_parameters = ()
+2385 syscall_register = ""
+2386 syscall_instructions = ()
+2387 nop_insn = b""
+2388 flag_register = None
+2389 flags_table = {}
+ + +2392class RISCV(Architecture):
+2393 arch = "RISCV"
+2394 mode = "RISCV"
+2395 aliases = ("RISCV", Elf.Abi.RISCV)
+2396 all_registers = ("$zero", "$ra", "$sp", "$gp", "$tp", "$t0", "$t1",
+2397 "$t2", "$fp", "$s1", "$a0", "$a1", "$a2", "$a3",
+2398 "$a4", "$a5", "$a6", "$a7", "$s2", "$s3", "$s4",
+2399 "$s5", "$s6", "$s7", "$s8", "$s9", "$s10", "$s11",
+2400 "$t3", "$t4", "$t5", "$t6",)
+2401 return_register = "$a0"
+2402 function_parameters = ("$a0", "$a1", "$a2", "$a3", "$a4", "$a5", "$a6", "$a7")
+2403 syscall_register = "$a7"
+2404 syscall_instructions = ("ecall",)
+2405 nop_insn = b"\x00\x00\x00\x13"
+2406 # RISC-V has no flags registers
+2407 flag_register = None
+2408 flags_table = {}
+ +2410 @property
+2411 def instruction_length(self) -> int:
+2412 return 4
+ +2414 def is_call(self, insn: Instruction) -> bool:
+2415 return insn.mnemonic == "call"
+ +2417 def is_ret(self, insn: Instruction) -> bool:
+2418 mnemo = insn.mnemonic
+2419 if mnemo == "ret":
+2420 return True
+2421 elif (mnemo == "jalr" and insn.operands[0] == "zero" and
+2422 insn.operands[1] == "ra" and insn.operands[2] == 0):
+2423 return True
+2424 elif (mnemo == "c.jalr" and insn.operands[0] == "ra"):
+2425 return True
+2426 return False
+ +2428 @classmethod
+2429 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2430 raise OSError(f"Architecture {cls.arch} not supported yet")
+ +2432 @property
+2433 def ptrsize(self) -> int:
+2434 if self._ptrsize is not None:
+2435 return self._ptrsize
+2436 if is_alive():
+2437 self._ptrsize = gdb.parse_and_eval("$pc").type.sizeof
+2438 return self._ptrsize
+2439 return 4
+ +2441 def is_conditional_branch(self, insn: Instruction) -> bool:
+2442 return insn.mnemonic.startswith("b")
+ +2444 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+2445 def long_to_twos_complement(v: int) -> int:
+2446 """Convert a python long value to its two's complement."""
+2447 if is_32bit():
+2448 if v & 0x80000000:
+2449 return v - 0x100000000
+2450 elif is_64bit():
+2451 if v & 0x8000000000000000:
+2452 return v - 0x10000000000000000
+2453 else:
+2454 raise OSError("RISC-V: ELF file is not ELF32 or ELF64. This is not currently supported")
+2455 return v
+ +2457 mnemo = insn.mnemonic
+2458 condition = mnemo[1:]
+ +2460 if condition.endswith("z"):
+2461 # r2 is the zero register if we are comparing to 0
+2462 rs1 = gef.arch.register(insn.operands[0])
+2463 rs2 = gef.arch.register("$zero")
+2464 condition = condition[:-1]
+2465 elif len(insn.operands) > 2:
+2466 # r2 is populated with the second operand
+2467 rs1 = gef.arch.register(insn.operands[0])
+2468 rs2 = gef.arch.register(insn.operands[1])
+2469 else:
+2470 raise OSError(f"RISC-V: Failed to get rs1 and rs2 for instruction: `{insn}`")
+ +2472 # If the conditional operation is not unsigned, convert the python long into
+2473 # its two's complement
+2474 if not condition.endswith("u"):
+2475 rs2 = long_to_twos_complement(rs2)
+2476 rs1 = long_to_twos_complement(rs1)
+2477 else:
+2478 condition = condition[:-1]
+ +2480 if condition == "eq":
+2481 if rs1 == rs2: taken, reason = True, f"{rs1}={rs2}"
+2482 else: taken, reason = False, f"{rs1}!={rs2}"
+2483 elif condition == "ne":
+2484 if rs1 != rs2: taken, reason = True, f"{rs1}!={rs2}"
+2485 else: taken, reason = False, f"{rs1}={rs2}"
+2486 elif condition == "lt":
+2487 if rs1 < rs2: taken, reason = True, f"{rs1}<{rs2}"
+2488 else: taken, reason = False, f"{rs1}>={rs2}"
+2489 elif condition == "le":
+2490 if rs1 <= rs2: taken, reason = True, f"{rs1}<={rs2}"
+2491 else: taken, reason = False, f"{rs1}>{rs2}"
+2492 elif condition == "ge":
+2493 if rs1 < rs2: taken, reason = True, f"{rs1}>={rs2}"
+2494 else: taken, reason = False, f"{rs1}<{rs2}"
+2495 else:
+2496 raise OSError(f"RISC-V: Conditional instruction `{insn}` not supported yet")
+ +2498 return taken, reason
+ +2500 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+2501 ra = None
+2502 if self.is_ret(insn):
+2503 ra = gef.arch.register("$ra")
+2504 elif frame.older():
+2505 ra = frame.older().pc()
+2506 return ra
+ + +2509class ARM(Architecture):
+2510 aliases = ("ARM", Elf.Abi.ARM)
+2511 arch = "ARM"
+2512 all_registers = ("$r0", "$r1", "$r2", "$r3", "$r4", "$r5", "$r6",
+2513 "$r7", "$r8", "$r9", "$r10", "$r11", "$r12", "$sp",
+2514 "$lr", "$pc", "$cpsr",)
+ +2516 nop_insn = b"\x00\xf0\x20\xe3" # hint #0
+2517 return_register = "$r0"
+2518 flag_register: str = "$cpsr"
+2519 flags_table = {
+2520 31: "negative",
+2521 30: "zero",
+2522 29: "carry",
+2523 28: "overflow",
+2524 7: "interrupt",
+2525 6: "fast",
+2526 5: "thumb",
+2527 }
+2528 function_parameters = ("$r0", "$r1", "$r2", "$r3")
+2529 syscall_register = "$r7"
+2530 syscall_instructions = ("swi 0x0", "swi NR")
+2531 _endianness = Endianness.LITTLE_ENDIAN
+ +2533 def is_thumb(self) -> bool:
+2534 """Determine if the machine is currently in THUMB mode."""
+2535 return is_alive() and (self.cpsr & (1 << 5) == 1)
+ +2537 @property
+2538 def pc(self) -> Optional[int]:
+2539 pc = gef.arch.register("$pc")
+2540 if self.is_thumb():
+2541 pc += 1
+2542 return pc
+ +2544 @property
+2545 def cpsr(self) -> int:
+2546 if not is_alive():
+2547 raise RuntimeError("Cannot get CPSR, program not started?")
+2548 return gef.arch.register(self.flag_register)
+ +2550 @property
+2551 def mode(self) -> str:
+2552 return "THUMB" if self.is_thumb() else "ARM"
+ +2554 @property
+2555 def instruction_length(self) -> Optional[int]:
+2556 # Thumb instructions have variable-length (2 or 4-byte)
+2557 return None if self.is_thumb() else 4
+ +2559 @property
+2560 def ptrsize(self) -> int:
+2561 return 4
+ +2563 def is_call(self, insn: Instruction) -> bool:
+2564 mnemo = insn.mnemonic
+2565 call_mnemos = {"bl", "blx"}
+2566 return mnemo in call_mnemos
+ +2568 def is_ret(self, insn: Instruction) -> bool:
+2569 pop_mnemos = {"pop"}
+2570 branch_mnemos = {"bl", "bx"}
+2571 write_mnemos = {"ldr", "add"}
+2572 if insn.mnemonic in pop_mnemos:
+2573 return insn.operands[-1] == " pc}"
+2574 if insn.mnemonic in branch_mnemos:
+2575 return insn.operands[-1] == "lr"
+2576 if insn.mnemonic in write_mnemos:
+2577 return insn.operands[0] == "pc"
+2578 return False
+ +2580 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+2581 # https://www.botskool.com/user-pages/tutorials/electronics/arm-7-tutorial-part-1
+2582 if val is None:
+2583 reg = self.flag_register
+2584 val = gef.arch.register(reg)
+2585 return flags_to_human(val, self.flags_table)
+ +2587 def is_conditional_branch(self, insn: Instruction) -> bool:
+2588 conditions = {"eq", "ne", "lt", "le", "gt", "ge", "vs", "vc", "mi", "pl", "hi", "ls", "cc", "cs"}
+2589 return insn.mnemonic[-2:] in conditions
+ +2591 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+2592 mnemo = insn.mnemonic
+2593 # ref: https://www.davespace.co.uk/arm/introduction-to-arm/conditional.html
+2594 flags = dict((self.flags_table[k], k) for k in self.flags_table)
+2595 val = gef.arch.register(self.flag_register)
+2596 taken, reason = False, ""
+ +2598 if mnemo.endswith("eq"): taken, reason = bool(val&(1<<flags["zero"])), "Z"
+2599 elif mnemo.endswith("ne"): taken, reason = not bool(val&(1<<flags["zero"])), "!Z"
+2600 elif mnemo.endswith("lt"):
+2601 taken, reason = bool(val&(1<<flags["negative"])) != bool(val&(1<<flags["overflow"])), "N!=V"
+2602 elif mnemo.endswith("le"):
+2603 taken, reason = bool(val&(1<<flags["zero"])) or \
+2604 bool(val&(1<<flags["negative"])) != bool(val&(1<<flags["overflow"])), "Z || N!=V"
+2605 elif mnemo.endswith("gt"):
+2606 taken, reason = bool(val&(1<<flags["zero"])) == 0 and \
+2607 bool(val&(1<<flags["negative"])) == bool(val&(1<<flags["overflow"])), "!Z && N==V"
+2608 elif mnemo.endswith("ge"):
+2609 taken, reason = bool(val&(1<<flags["negative"])) == bool(val&(1<<flags["overflow"])), "N==V"
+2610 elif mnemo.endswith("vs"): taken, reason = bool(val&(1<<flags["overflow"])), "V"
+2611 elif mnemo.endswith("vc"): taken, reason = not val&(1<<flags["overflow"]), "!V"
+2612 elif mnemo.endswith("mi"):
+2613 taken, reason = bool(val&(1<<flags["negative"])), "N"
+2614 elif mnemo.endswith("pl"):
+2615 taken, reason = not val&(1<<flags["negative"]), "N==0"
+2616 elif mnemo.endswith("hi"):
+2617 taken, reason = bool(val&(1<<flags["carry"])) and not bool(val&(1<<flags["zero"])), "C && !Z"
+2618 elif mnemo.endswith("ls"):
+2619 taken, reason = not val&(1<<flags["carry"]) or bool(val&(1<<flags["zero"])), "!C || Z"
+2620 elif mnemo.endswith("cs"): taken, reason = bool(val&(1<<flags["carry"])), "C"
+2621 elif mnemo.endswith("cc"): taken, reason = not val&(1<<flags["carry"]), "!C"
+2622 return taken, reason
+ +2624 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> int:
+2625 ra = None
+2626 if self.is_ret(insn):
+2627 # If it's a pop, we have to peek into the stack, otherwise use lr
+2628 if insn.mnemonic == "pop":
+2629 ra_addr = gef.arch.sp + (len(insn.operands)-1) * self.ptrsize
+2630 ra = to_unsigned_long(dereference(ra_addr))
+2631 elif insn.mnemonic == "ldr":
+2632 return to_unsigned_long(dereference(gef.arch.sp))
+2633 else: # 'bx lr' or 'add pc, lr, #0'
+2634 return gef.arch.register("$lr")
+2635 elif frame.older():
+2636 ra = frame.older().pc()
+2637 return ra
+ +2639 @classmethod
+2640 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2641 _NR_mprotect = 125
+2642 insns = [
+2643 "push {r0-r2, r7}",
+2644 f"mov r1, {addr & 0xffff:d}",
+2645 f"mov r0, {(addr & 0xffff0000) >> 16:d}",
+2646 "lsl r0, r0, 16",
+2647 "add r0, r0, r1",
+2648 f"mov r1, {size & 0xffff:d}",
+2649 f"mov r2, {perm.value & 0xff:d}",
+2650 f"mov r7, {_NR_mprotect:d}",
+2651 "svc 0",
+2652 "pop {r0-r2, r7}",
+2653 ]
+2654 return "; ".join(insns)
+ + +2657class AARCH64(ARM):
+2658 aliases = ("ARM64", "AARCH64", Elf.Abi.AARCH64)
+2659 arch = "ARM64"
+2660 mode: str = ""
+ +2662 all_registers = (
+2663 "$x0", "$x1", "$x2", "$x3", "$x4", "$x5", "$x6", "$x7",
+2664 "$x8", "$x9", "$x10", "$x11", "$x12", "$x13", "$x14","$x15",
+2665 "$x16", "$x17", "$x18", "$x19", "$x20", "$x21", "$x22", "$x23",
+2666 "$x24", "$x25", "$x26", "$x27", "$x28", "$x29", "$x30", "$sp",
+2667 "$pc", "$cpsr", "$fpsr", "$fpcr",)
+2668 return_register = "$x0"
+2669 flag_register = "$cpsr"
+2670 flags_table = {
+2671 31: "negative",
+2672 30: "zero",
+2673 29: "carry",
+2674 28: "overflow",
+2675 7: "interrupt",
+2676 9: "endian",
+2677 6: "fast",
+2678 5: "t32",
+2679 4: "m[4]",
+2680 }
+2681 nop_insn = b"\x1f\x20\x03\xd5" # hint #0
+2682 function_parameters = ("$x0", "$x1", "$x2", "$x3", "$x4", "$x5", "$x6", "$x7",)
+2683 syscall_register = "$x8"
+2684 syscall_instructions = ("svc $x0",)
+ +2686 def is_call(self, insn: Instruction) -> bool:
+2687 mnemo = insn.mnemonic
+2688 call_mnemos = {"bl", "blr"}
+2689 return mnemo in call_mnemos
+ +2691 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+2692 # https://events.linuxfoundation.org/sites/events/files/slides/KoreaLinuxForum-2014.pdf
+2693 reg = self.flag_register
+2694 if not val:
+2695 val = gef.arch.register(reg)
+2696 return flags_to_human(val, self.flags_table)
+ +2698 def is_aarch32(self) -> bool:
+2699 """Determine if the CPU is currently in AARCH32 mode from runtime."""
+2700 return (self.cpsr & (1 << 4) != 0) and (self.cpsr & (1 << 5) == 0)
+ +2702 def is_thumb32(self) -> bool:
+2703 """Determine if the CPU is currently in THUMB32 mode from runtime."""
+2704 return (self.cpsr & (1 << 4) == 1) and (self.cpsr & (1 << 5) == 1)
+ +2706 @property
+2707 def ptrsize(self) -> int:
+2708 """Determine the size of pointer from the current CPU mode"""
+2709 if not is_alive():
+2710 return 8
+2711 if self.is_aarch32():
+2712 return 4
+2713 if self.is_thumb32():
+2714 return 2
+2715 return 8
+ +2717 @classmethod
+2718 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2719 _NR_mprotect = 226
+2720 insns = [
+2721 "str x8, [sp, -16]!",
+2722 "str x0, [sp, -16]!",
+2723 "str x1, [sp, -16]!",
+2724 "str x2, [sp, -16]!",
+2725 f"mov x8, {_NR_mprotect:d}",
+2726 f"movz x0, {addr & 0xFFFF:#x}",
+2727 f"movk x0, {(addr >> 16) & 0xFFFF:#x}, lsl 16",
+2728 f"movk x0, {(addr >> 32) & 0xFFFF:#x}, lsl 32",
+2729 f"movk x0, {(addr >> 48) & 0xFFFF:#x}, lsl 48",
+2730 f"movz x1, {size & 0xFFFF:#x}",
+2731 f"movk x1, {(size >> 16) & 0xFFFF:#x}, lsl 16",
+2732 f"mov x2, {perm.value:d}",
+2733 "svc 0",
+2734 "ldr x2, [sp], 16",
+2735 "ldr x1, [sp], 16",
+2736 "ldr x0, [sp], 16",
+2737 "ldr x8, [sp], 16",
+2738 ]
+2739 return "; ".join(insns)
+ +2741 def is_conditional_branch(self, insn: Instruction) -> bool:
+2742 # https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf
+2743 # sect. 5.1.1
+2744 mnemo = insn.mnemonic
+2745 branch_mnemos = {"cbnz", "cbz", "tbnz", "tbz"}
+2746 return mnemo.startswith("b.") or mnemo in branch_mnemos
+ +2748 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+2749 mnemo, operands = insn.mnemonic, insn.operands
+2750 taken, reason = False, ""
+ +2752 if mnemo in {"cbnz", "cbz", "tbnz", "tbz"}:
+2753 reg = f"${operands[0]}"
+2754 op = gef.arch.register(reg)
+2755 if mnemo == "cbnz":
+2756 if op!=0: taken, reason = True, f"{reg}!=0"
+2757 else: taken, reason = False, f"{reg}==0"
+2758 elif mnemo == "cbz":
+2759 if op == 0: taken, reason = True, f"{reg}==0"
+2760 else: taken, reason = False, f"{reg}!=0"
+2761 elif mnemo == "tbnz":
+2762 # operands[1] has one or more white spaces in front, then a #, then the number
+2763 # so we need to eliminate them
+2764 i = int(operands[1].strip().lstrip("#"))
+2765 if (op & 1<<i) != 0: taken, reason = True, f"{reg}&1<<{i}!=0"
+2766 else: taken, reason = False, f"{reg}&1<<{i}==0"
+2767 elif mnemo == "tbz":
+2768 # operands[1] has one or more white spaces in front, then a #, then the number
+2769 # so we need to eliminate them
+2770 i = int(operands[1].strip().lstrip("#"))
+2771 if (op & 1<<i) == 0: taken, reason = True, f"{reg}&1<<{i}==0"
+2772 else: taken, reason = False, f"{reg}&1<<{i}!=0"
+ +2774 if not reason:
+2775 taken, reason = super().is_branch_taken(insn)
+2776 return taken, reason
+ + +2779class X86(Architecture):
+2780 aliases: Tuple[Union[str, Elf.Abi], ...] = ("X86", Elf.Abi.X86_32)
+2781 arch = "X86"
+2782 mode = "32"
+ +2784 nop_insn = b"\x90"
+2785 flag_register: str = "$eflags"
+2786 special_registers = ("$cs", "$ss", "$ds", "$es", "$fs", "$gs", )
+2787 gpr_registers = ("$eax", "$ebx", "$ecx", "$edx", "$esp", "$ebp", "$esi", "$edi", "$eip", )
+2788 all_registers = gpr_registers + ( flag_register,) + special_registers
+2789 instruction_length = None
+2790 return_register = "$eax"
+2791 function_parameters = ("$esp", )
+2792 flags_table = {
+2793 6: "zero",
+2794 0: "carry",
+2795 2: "parity",
+2796 4: "adjust",
+2797 7: "sign",
+2798 8: "trap",
+2799 9: "interrupt",
+2800 10: "direction",
+2801 11: "overflow",
+2802 16: "resume",
+2803 17: "virtualx86",
+2804 21: "identification",
+2805 }
+2806 syscall_register = "$eax"
+2807 syscall_instructions = ("sysenter", "int 0x80")
+2808 _ptrsize = 4
+2809 _endianness = Endianness.LITTLE_ENDIAN
+ +2811 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+2812 reg = self.flag_register
+2813 if not val: 2813 ↛ 2815line 2813 didn't jump to line 2815, because the condition on line 2813 was never false
+2814 val = gef.arch.register(reg)
+2815 return flags_to_human(val, self.flags_table)
+ +2817 def is_call(self, insn: Instruction) -> bool:
+2818 mnemo = insn.mnemonic
+2819 call_mnemos = {"call", "callq"}
+2820 return mnemo in call_mnemos
+ +2822 def is_ret(self, insn: Instruction) -> bool:
+2823 return insn.mnemonic == "ret"
+ +2825 def is_conditional_branch(self, insn: Instruction) -> bool:
+2826 mnemo = insn.mnemonic
+2827 branch_mnemos = {
+2828 "ja", "jnbe", "jae", "jnb", "jnc", "jb", "jc", "jnae", "jbe", "jna",
+2829 "jcxz", "jecxz", "jrcxz", "je", "jz", "jg", "jnle", "jge", "jnl",
+2830 "jl", "jnge", "jle", "jng", "jne", "jnz", "jno", "jnp", "jpo", "jns",
+2831 "jo", "jp", "jpe", "js"
+2832 }
+2833 return mnemo in branch_mnemos
+ +2835 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+2836 mnemo = insn.mnemonic
+2837 # all kudos to fG! (https://github.com/gdbinit/Gdbinit/blob/master/gdbinit#L1654)
+2838 flags = dict((self.flags_table[k], k) for k in self.flags_table)
+2839 val = gef.arch.register(self.flag_register)
+ +2841 taken, reason = False, ""
+ +2843 if mnemo in ("ja", "jnbe"):
+2844 taken, reason = not val&(1<<flags["carry"]) and not bool(val&(1<<flags["zero"])), "!C && !Z"
+2845 elif mnemo in ("jae", "jnb", "jnc"):
+2846 taken, reason = not val&(1<<flags["carry"]), "!C"
+2847 elif mnemo in ("jb", "jc", "jnae"):
+2848 taken, reason = bool(val&(1<<flags["carry"])) != 0, "C"
+2849 elif mnemo in ("jbe", "jna"):
+2850 taken, reason = bool(val&(1<<flags["carry"])) or bool(val&(1<<flags["zero"])), "C || Z"
+2851 elif mnemo in ("jcxz", "jecxz", "jrcxz"):
+2852 cx = gef.arch.register("$rcx") if is_x86_64() else gef.arch.register("$ecx")
+2853 taken, reason = cx == 0, "!$CX"
+2854 elif mnemo in ("je", "jz"):
+2855 taken, reason = bool(val&(1<<flags["zero"])), "Z"
+2856 elif mnemo in ("jne", "jnz"):
+2857 taken, reason = not bool(val&(1<<flags["zero"])), "!Z"
+2858 elif mnemo in ("jg", "jnle"):
+2859 taken, reason = not bool(val&(1<<flags["zero"])) and bool(val&(1<<flags["overflow"])) == bool(val&(1<<flags["sign"])), "!Z && S==O"
+2860 elif mnemo in ("jge", "jnl"):
+2861 taken, reason = bool(val&(1<<flags["sign"])) == bool(val&(1<<flags["overflow"])), "S==O"
+2862 elif mnemo in ("jl", "jnge"):
+2863 taken, reason = bool(val&(1<<flags["overflow"]) != val&(1<<flags["sign"])), "S!=O"
+2864 elif mnemo in ("jle", "jng"):
+2865 taken, reason = bool(val&(1<<flags["zero"])) or bool(val&(1<<flags["overflow"])) != bool(val&(1<<flags["sign"])), "Z || S!=O"
+2866 elif mnemo in ("jo",):
+2867 taken, reason = bool(val&(1<<flags["overflow"])), "O"
+2868 elif mnemo in ("jno",):
+2869 taken, reason = not val&(1<<flags["overflow"]), "!O"
+2870 elif mnemo in ("jpe", "jp"):
+2871 taken, reason = bool(val&(1<<flags["parity"])), "P"
+2872 elif mnemo in ("jnp", "jpo"):
+2873 taken, reason = not val&(1<<flags["parity"]), "!P"
+2874 elif mnemo in ("js",):
+2875 taken, reason = bool(val&(1<<flags["sign"])) != 0, "S"
+2876 elif mnemo in ("jns",):
+2877 taken, reason = not val&(1<<flags["sign"]), "!S"
+2878 return taken, reason
+ +2880 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+2881 ra = None
+2882 if self.is_ret(insn): 2882 ↛ 2884line 2882 didn't jump to line 2884, because the condition on line 2882 was never false
+2883 ra = to_unsigned_long(dereference(gef.arch.sp))
+2884 if frame.older(): 2884 ↛ 2887line 2884 didn't jump to line 2887, because the condition on line 2884 was never false
+2885 ra = frame.older().pc()
+ +2887 return ra
+ +2889 @classmethod
+2890 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2891 _NR_mprotect = 125
+2892 insns = [
+2893 "pushad",
+2894 "pushfd",
+2895 f"mov eax, {_NR_mprotect:d}",
+2896 f"mov ebx, {addr:d}",
+2897 f"mov ecx, {size:d}",
+2898 f"mov edx, {perm.value:d}",
+2899 "int 0x80",
+2900 "popfd",
+2901 "popad",
+2902 ]
+2903 return "; ".join(insns)
+ +2905 def get_ith_parameter(self, i: int, in_func: bool = True) -> Tuple[str, Optional[int]]:
+2906 if in_func:
+2907 i += 1 # Account for RA being at the top of the stack
+2908 sp = gef.arch.sp
+2909 sz = gef.arch.ptrsize
+2910 loc = sp + (i * sz)
+2911 val = gef.memory.read_integer(loc)
+2912 key = f"[sp + {i * sz:#x}]"
+2913 return key, val
+ + +2916class X86_64(X86):
+2917 aliases = ("X86_64", Elf.Abi.X86_64, "i386:x86-64")
+2918 arch = "X86"
+2919 mode = "64"
+ +2921 gpr_registers = (
+2922 "$rax", "$rbx", "$rcx", "$rdx", "$rsp", "$rbp", "$rsi", "$rdi", "$rip",
+2923 "$r8", "$r9", "$r10", "$r11", "$r12", "$r13", "$r14", "$r15", )
+2924 all_registers = gpr_registers + ( X86.flag_register, ) + X86.special_registers
+2925 return_register = "$rax"
+2926 function_parameters = ["$rdi", "$rsi", "$rdx", "$rcx", "$r8", "$r9"]
+2927 syscall_register = "$rax"
+2928 syscall_instructions = ["syscall"]
+2929 # We don't want to inherit x86's stack based param getter
+2930 get_ith_parameter = Architecture.get_ith_parameter
+2931 _ptrsize = 8
+ +2933 @classmethod
+2934 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+2935 _NR_mprotect = 10
+2936 insns = [
+2937 "pushfq",
+2938 "push rax",
+2939 "push rdi",
+2940 "push rsi",
+2941 "push rdx",
+2942 "push rcx",
+2943 "push r11",
+2944 f"mov rax, {_NR_mprotect:d}",
+2945 f"mov rdi, {addr:d}",
+2946 f"mov rsi, {size:d}",
+2947 f"mov rdx, {perm.value:d}",
+2948 "syscall",
+2949 "pop r11",
+2950 "pop rcx",
+2951 "pop rdx",
+2952 "pop rsi",
+2953 "pop rdi",
+2954 "pop rax",
+2955 "popfq",
+2956 ]
+2957 return "; ".join(insns)
+ +2959 def canary_address(self) -> int:
+2960 return self.register("fs_base") + 0x28
+ +2962class PowerPC(Architecture):
+2963 aliases = ("PowerPC", Elf.Abi.POWERPC, "PPC")
+2964 arch = "PPC"
+2965 mode = "PPC32"
+ +2967 all_registers = (
+2968 "$r0", "$r1", "$r2", "$r3", "$r4", "$r5", "$r6", "$r7",
+2969 "$r8", "$r9", "$r10", "$r11", "$r12", "$r13", "$r14", "$r15",
+2970 "$r16", "$r17", "$r18", "$r19", "$r20", "$r21", "$r22", "$r23",
+2971 "$r24", "$r25", "$r26", "$r27", "$r28", "$r29", "$r30", "$r31",
+2972 "$pc", "$msr", "$cr", "$lr", "$ctr", "$xer", "$trap",)
+2973 instruction_length = 4
+2974 nop_insn = b"\x60\x00\x00\x00" # https://developer.ibm.com/articles/l-ppc/
+2975 return_register = "$r0"
+2976 flag_register: str = "$cr"
+2977 flags_table = {
+2978 3: "negative[0]",
+2979 2: "positive[0]",
+2980 1: "equal[0]",
+2981 0: "overflow[0]",
+2982 # cr7
+2983 31: "less[7]",
+2984 30: "greater[7]",
+2985 29: "equal[7]",
+2986 28: "overflow[7]",
+2987 }
+2988 function_parameters = ("$i0", "$i1", "$i2", "$i3", "$i4", "$i5")
+2989 syscall_register = "$r0"
+2990 syscall_instructions = ("sc",)
+2991 ptrsize = 4
+ + +2994 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+2995 # https://www.cebix.net/downloads/bebox/pem32b.pdf (% 2.1.3)
+2996 if not val:
+2997 reg = self.flag_register
+2998 val = gef.arch.register(reg)
+2999 return flags_to_human(val, self.flags_table)
+ +3001 def is_call(self, insn: Instruction) -> bool:
+3002 return False
+ +3004 def is_ret(self, insn: Instruction) -> bool:
+3005 return insn.mnemonic == "blr"
+ +3007 def is_conditional_branch(self, insn: Instruction) -> bool:
+3008 mnemo = insn.mnemonic
+3009 branch_mnemos = {"beq", "bne", "ble", "blt", "bgt", "bge"}
+3010 return mnemo in branch_mnemos
+ +3012 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+3013 mnemo = insn.mnemonic
+3014 flags = dict((self.flags_table[k], k) for k in self.flags_table)
+3015 val = gef.arch.register(self.flag_register)
+3016 taken, reason = False, ""
+3017 if mnemo == "beq": taken, reason = bool(val&(1<<flags["equal[7]"])), "E"
+3018 elif mnemo == "bne": taken, reason = val&(1<<flags["equal[7]"]) == 0, "!E"
+3019 elif mnemo == "ble": taken, reason = bool(val&(1<<flags["equal[7]"])) or bool(val&(1<<flags["less[7]"])), "E || L"
+3020 elif mnemo == "blt": taken, reason = bool(val&(1<<flags["less[7]"])), "L"
+3021 elif mnemo == "bge": taken, reason = bool(val&(1<<flags["equal[7]"])) or bool(val&(1<<flags["greater[7]"])), "E || G"
+3022 elif mnemo == "bgt": taken, reason = bool(val&(1<<flags["greater[7]"])), "G"
+3023 return taken, reason
+ +3025 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+3026 ra = None
+3027 if self.is_ret(insn):
+3028 ra = gef.arch.register("$lr")
+3029 elif frame.older():
+3030 ra = frame.older().pc()
+3031 return ra
+ +3033 @classmethod
+3034 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+3035 # Ref: https://developer.ibm.com/articles/l-ppc/
+3036 _NR_mprotect = 125
+3037 insns = [
+3038 "addi 1, 1, -16", # 1 = r1 = sp
+3039 "stw 0, 0(1)",
+3040 "stw 3, 4(1)", # r0 = syscall_code | r3, r4, r5 = args
+3041 "stw 4, 8(1)",
+3042 "stw 5, 12(1)",
+3043 f"li 0, {_NR_mprotect:d}",
+3044 f"lis 3, {addr:#x}@h",
+3045 f"ori 3, 3, {addr:#x}@l",
+3046 f"lis 4, {size:#x}@h",
+3047 f"ori 4, 4, {size:#x}@l",
+3048 f"li 5, {perm.value:d}",
+3049 "sc",
+3050 "lwz 0, 0(1)",
+3051 "lwz 3, 4(1)",
+3052 "lwz 4, 8(1)",
+3053 "lwz 5, 12(1)",
+3054 "addi 1, 1, 16",
+3055 ]
+3056 return ";".join(insns)
+ + +3059class PowerPC64(PowerPC):
+3060 aliases = ("PowerPC64", Elf.Abi.POWERPC64, "PPC64")
+3061 arch = "PPC"
+3062 mode = "PPC64"
+3063 ptrsize = 8
+ + +3066class SPARC(Architecture):
+3067 """ Refs:
+3068 - https://www.cse.scu.edu/~atkinson/teaching/sp05/259/sparc.pdf
+3069 """
+3070 aliases = ("SPARC", Elf.Abi.SPARC)
+3071 arch = "SPARC"
+3072 mode = ""
+ +3074 all_registers = (
+3075 "$g0", "$g1", "$g2", "$g3", "$g4", "$g5", "$g6", "$g7",
+3076 "$o0", "$o1", "$o2", "$o3", "$o4", "$o5", "$o7",
+3077 "$l0", "$l1", "$l2", "$l3", "$l4", "$l5", "$l6", "$l7",
+3078 "$i0", "$i1", "$i2", "$i3", "$i4", "$i5", "$i7",
+3079 "$pc", "$npc", "$sp ", "$fp ", "$psr",)
+3080 instruction_length = 4
+3081 nop_insn = b"\x00\x00\x00\x00" # sethi 0, %g0
+3082 return_register = "$i0"
+3083 flag_register: str = "$psr"
+3084 flags_table = {
+3085 23: "negative",
+3086 22: "zero",
+3087 21: "overflow",
+3088 20: "carry",
+3089 7: "supervisor",
+3090 5: "trap",
+3091 }
+3092 function_parameters = ("$o0 ", "$o1 ", "$o2 ", "$o3 ", "$o4 ", "$o5 ", "$o7 ",)
+3093 syscall_register = "%g1"
+3094 syscall_instructions = ("t 0x10",)
+ +3096 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+3097 # https://www.gaisler.com/doc/sparcv8.pdf
+3098 reg = self.flag_register
+3099 if not val:
+3100 val = gef.arch.register(reg)
+3101 return flags_to_human(val, self.flags_table)
+ +3103 def is_call(self, insn: Instruction) -> bool:
+3104 return False
+ +3106 def is_ret(self, insn: Instruction) -> bool:
+3107 return insn.mnemonic == "ret"
+ +3109 def is_conditional_branch(self, insn: Instruction) -> bool:
+3110 mnemo = insn.mnemonic
+3111 # http://moss.csc.ncsu.edu/~mueller/codeopt/codeopt00/notes/condbranch.html
+3112 branch_mnemos = {
+3113 "be", "bne", "bg", "bge", "bgeu", "bgu", "bl", "ble", "blu", "bleu",
+3114 "bneg", "bpos", "bvs", "bvc", "bcs", "bcc"
+3115 }
+3116 return mnemo in branch_mnemos
+ +3118 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+3119 mnemo = insn.mnemonic
+3120 flags = dict((self.flags_table[k], k) for k in self.flags_table)
+3121 val = gef.arch.register(self.flag_register)
+3122 taken, reason = False, ""
+ +3124 if mnemo == "be": taken, reason = bool(val&(1<<flags["zero"])), "Z"
+3125 elif mnemo == "bne": taken, reason = bool(val&(1<<flags["zero"])) == 0, "!Z"
+3126 elif mnemo == "bg": taken, reason = bool(val&(1<<flags["zero"])) == 0 and (val&(1<<flags["negative"]) == 0 or val&(1<<flags["overflow"]) == 0), "!Z && (!N || !O)"
+3127 elif mnemo == "bge": taken, reason = val&(1<<flags["negative"]) == 0 or val&(1<<flags["overflow"]) == 0, "!N || !O"
+3128 elif mnemo == "bgu": taken, reason = val&(1<<flags["carry"]) == 0 and val&(1<<flags["zero"]) == 0, "!C && !Z"
+3129 elif mnemo == "bgeu": taken, reason = val&(1<<flags["carry"]) == 0, "!C"
+3130 elif mnemo == "bl": taken, reason = bool(val&(1<<flags["negative"])) and bool(val&(1<<flags["overflow"])), "N && O"
+3131 elif mnemo == "blu": taken, reason = bool(val&(1<<flags["carry"])), "C"
+3132 elif mnemo == "ble": taken, reason = bool(val&(1<<flags["zero"])) or bool(val&(1<<flags["negative"]) or val&(1<<flags["overflow"])), "Z || (N || O)"
+3133 elif mnemo == "bleu": taken, reason = bool(val&(1<<flags["carry"])) or bool(val&(1<<flags["zero"])), "C || Z"
+3134 elif mnemo == "bneg": taken, reason = bool(val&(1<<flags["negative"])), "N"
+3135 elif mnemo == "bpos": taken, reason = val&(1<<flags["negative"]) == 0, "!N"
+3136 elif mnemo == "bvs": taken, reason = bool(val&(1<<flags["overflow"])), "O"
+3137 elif mnemo == "bvc": taken, reason = val&(1<<flags["overflow"]) == 0, "!O"
+3138 elif mnemo == "bcs": taken, reason = bool(val&(1<<flags["carry"])), "C"
+3139 elif mnemo == "bcc": taken, reason = val&(1<<flags["carry"]) == 0, "!C"
+3140 return taken, reason
+ +3142 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+3143 ra = None
+3144 if self.is_ret(insn):
+3145 ra = gef.arch.register("$o7")
+3146 elif frame.older():
+3147 ra = frame.older().pc()
+3148 return ra
+ +3150 @classmethod
+3151 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+3152 hi = (addr & 0xffff0000) >> 16
+3153 lo = (addr & 0x0000ffff)
+3154 _NR_mprotect = 125
+3155 insns = ["add %sp, -16, %sp",
+3156 "st %g1, [ %sp ]", "st %o0, [ %sp + 4 ]",
+3157 "st %o1, [ %sp + 8 ]", "st %o2, [ %sp + 12 ]",
+3158 f"sethi %hi({hi}), %o0",
+3159 f"or %o0, {lo}, %o0",
+3160 "clr %o1",
+3161 "clr %o2",
+3162 f"mov {_NR_mprotect}, %g1",
+3163 "t 0x10",
+3164 "ld [ %sp ], %g1", "ld [ %sp + 4 ], %o0",
+3165 "ld [ %sp + 8 ], %o1", "ld [ %sp + 12 ], %o2",
+3166 "add %sp, 16, %sp",]
+3167 return "; ".join(insns)
+ + +3170class SPARC64(SPARC):
+3171 """Refs:
+3172 - http://math-atlas.sourceforge.net/devel/assembly/abi_sysV_sparc.pdf
+3173 - https://cr.yp.to/2005-590/sparcv9.pdf
+3174 """
+3175 aliases = ("SPARC64", Elf.Abi.SPARC64)
+3176 arch = "SPARC"
+3177 mode = "V9"
+ +3179 all_registers = [
+3180 "$g0", "$g1", "$g2", "$g3", "$g4", "$g5", "$g6", "$g7",
+3181 "$o0", "$o1", "$o2", "$o3", "$o4", "$o5", "$o7",
+3182 "$l0", "$l1", "$l2", "$l3", "$l4", "$l5", "$l6", "$l7",
+3183 "$i0", "$i1", "$i2", "$i3", "$i4", "$i5", "$i7",
+3184 "$pc", "$npc", "$sp", "$fp", "$state", ]
+ +3186 flag_register = "$state" # sparcv9.pdf, 5.1.5.1 (ccr)
+3187 flags_table = {
+3188 35: "negative",
+3189 34: "zero",
+3190 33: "overflow",
+3191 32: "carry",
+3192 }
+ +3194 syscall_instructions = ["t 0x6d"]
+ +3196 @classmethod
+3197 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+3198 hi = (addr & 0xffff0000) >> 16
+3199 lo = (addr & 0x0000ffff)
+3200 _NR_mprotect = 125
+3201 insns = ["add %sp, -16, %sp",
+3202 "st %g1, [ %sp ]", "st %o0, [ %sp + 4 ]",
+3203 "st %o1, [ %sp + 8 ]", "st %o2, [ %sp + 12 ]",
+3204 f"sethi %hi({hi}), %o0",
+3205 f"or %o0, {lo}, %o0",
+3206 "clr %o1",
+3207 "clr %o2",
+3208 f"mov {_NR_mprotect}, %g1",
+3209 "t 0x6d",
+3210 "ld [ %sp ], %g1", "ld [ %sp + 4 ], %o0",
+3211 "ld [ %sp + 8 ], %o1", "ld [ %sp + 12 ], %o2",
+3212 "add %sp, 16, %sp",]
+3213 return "; ".join(insns)
+ + +3216class MIPS(Architecture):
+3217 aliases: Tuple[Union[str, Elf.Abi], ...] = ("MIPS", Elf.Abi.MIPS)
+3218 arch = "MIPS"
+3219 mode = "MIPS32"
+ +3221 # https://vhouten.home.xs4all.nl/mipsel/r3000-isa.html
+3222 all_registers = (
+3223 "$zero", "$at", "$v0", "$v1", "$a0", "$a1", "$a2", "$a3",
+3224 "$t0", "$t1", "$t2", "$t3", "$t4", "$t5", "$t6", "$t7",
+3225 "$s0", "$s1", "$s2", "$s3", "$s4", "$s5", "$s6", "$s7",
+3226 "$t8", "$t9", "$k0", "$k1", "$s8", "$pc", "$sp", "$hi",
+3227 "$lo", "$fir", "$ra", "$gp", )
+3228 instruction_length = 4
+3229 _ptrsize = 4
+3230 nop_insn = b"\x00\x00\x00\x00" # sll $0,$0,0
+3231 return_register = "$v0"
+3232 flag_register = "$fcsr"
+3233 flags_table = {}
+3234 function_parameters = ("$a0", "$a1", "$a2", "$a3")
+3235 syscall_register = "$v0"
+3236 syscall_instructions = ("syscall",)
+ +3238 def flag_register_to_human(self, val: Optional[int] = None) -> str:
+3239 return Color.colorify("No flag register", "yellow underline")
+ +3241 def is_call(self, insn: Instruction) -> bool:
+3242 return False
+ +3244 def is_ret(self, insn: Instruction) -> bool:
+3245 return insn.mnemonic == "jr" and insn.operands[0] == "ra"
+ +3247 def is_conditional_branch(self, insn: Instruction) -> bool:
+3248 mnemo = insn.mnemonic
+3249 branch_mnemos = {"beq", "bne", "beqz", "bnez", "bgtz", "bgez", "bltz", "blez"}
+3250 return mnemo in branch_mnemos
+ +3252 def is_branch_taken(self, insn: Instruction) -> Tuple[bool, str]:
+3253 mnemo, ops = insn.mnemonic, insn.operands
+3254 taken, reason = False, ""
+ +3256 if mnemo == "beq":
+3257 taken, reason = gef.arch.register(ops[0]) == gef.arch.register(ops[1]), "{0[0]} == {0[1]}".format(ops)
+3258 elif mnemo == "bne":
+3259 taken, reason = gef.arch.register(ops[0]) != gef.arch.register(ops[1]), "{0[0]} != {0[1]}".format(ops)
+3260 elif mnemo == "beqz":
+3261 taken, reason = gef.arch.register(ops[0]) == 0, "{0[0]} == 0".format(ops)
+3262 elif mnemo == "bnez":
+3263 taken, reason = gef.arch.register(ops[0]) != 0, "{0[0]} != 0".format(ops)
+3264 elif mnemo == "bgtz":
+3265 taken, reason = gef.arch.register(ops[0]) > 0, "{0[0]} > 0".format(ops)
+3266 elif mnemo == "bgez":
+3267 taken, reason = gef.arch.register(ops[0]) >= 0, "{0[0]} >= 0".format(ops)
+3268 elif mnemo == "bltz":
+3269 taken, reason = gef.arch.register(ops[0]) < 0, "{0[0]} < 0".format(ops)
+3270 elif mnemo == "blez":
+3271 taken, reason = gef.arch.register(ops[0]) <= 0, "{0[0]} <= 0".format(ops)
+3272 return taken, reason
+ +3274 def get_ra(self, insn: Instruction, frame: "gdb.Frame") -> Optional[int]:
+3275 ra = None
+3276 if self.is_ret(insn):
+3277 ra = gef.arch.register("$ra")
+3278 elif frame.older():
+3279 ra = frame.older().pc()
+3280 return ra
+ +3282 @classmethod
+3283 def mprotect_asm(cls, addr: int, size: int, perm: Permission) -> str:
+3284 _NR_mprotect = 4125
+3285 insns = ["addi $sp, $sp, -16",
+3286 "sw $v0, 0($sp)", "sw $a0, 4($sp)",
+3287 "sw $a3, 8($sp)", "sw $a3, 12($sp)",
+3288 f"li $v0, {_NR_mprotect:d}",
+3289 f"li $a0, {addr:d}",
+3290 f"li $a1, {size:d}",
+3291 f"li $a2, {perm.value:d}",
+3292 "syscall",
+3293 "lw $v0, 0($sp)", "lw $a1, 4($sp)",
+3294 "lw $a3, 8($sp)", "lw $a3, 12($sp)",
+3295 "addi $sp, $sp, 16",]
+3296 return "; ".join(insns)
+ + +3299class MIPS64(MIPS):
+3300 aliases = ("MIPS64",)
+3301 arch = "MIPS"
+3302 mode = "MIPS64"
+3303 _ptrsize = 8
+ +3305 @staticmethod
+3306 def supports_gdb_arch(gdb_arch: str) -> Optional[bool]:
+3307 return gdb_arch.startswith("mips") and gef.binary.e_class == Elf.Class.ELF_64_BITS
+ + +3310def copy_to_clipboard(data: bytes) -> None:
+3311 """Helper function to submit data to the clipboard"""
+3312 if sys.platform == "linux":
+3313 xclip = which("xclip")
+3314 prog = [xclip, "-selection", "clipboard", "-i"]
+3315 elif sys.platform == "darwin":
+3316 pbcopy = which("pbcopy")
+3317 prog = [pbcopy]
+3318 else:
+3319 raise NotImplementedError("copy: Unsupported OS")
+ +3321 with subprocess.Popen(prog, stdin=subprocess.PIPE) as p:
+3322 p.stdin.write(data)
+3323 p.stdin.close()
+3324 p.wait()
+3325 return
+ + +3328def use_stdtype() -> str:
+3329 if is_32bit(): return "uint32_t" 3329 ↛ exitline 3329 didn't return from function 'use_stdtype', because the return on line 3329 wasn't executed
+3330 elif is_64bit(): return "uint64_t" 3330 ↛ 3331line 3330 didn't jump to line 3331, because the condition on line 3330 was never false
+3331 return "uint16_t"
+ + +3334def use_default_type() -> str:
+3335 if is_32bit(): return "unsigned int" 3335 ↛ exitline 3335 didn't return from function 'use_default_type', because the return on line 3335 wasn't executed
+3336 elif is_64bit(): return "unsigned long" 3336 ↛ 3337line 3336 didn't jump to line 3337, because the condition on line 3336 was never false
+3337 return "unsigned short"
+ + +3340def use_golang_type() -> str:
+3341 if is_32bit(): return "uint32"
+3342 elif is_64bit(): return "uint64"
+3343 return "uint16"
+ + +3346def use_rust_type() -> str:
+3347 if is_32bit(): return "u32"
+3348 elif is_64bit(): return "u64"
+3349 return "u16"
+ + +3352def to_unsigned_long(v: gdb.Value) -> int:
+3353 """Cast a gdb.Value to unsigned long."""
+3354 mask = (1 << 64) - 1
+3355 return int(v.cast(gdb.Value(mask).type)) & mask
+ + +3358def get_path_from_info_proc() -> Optional[str]:
+3359 for x in gdb.execute("info proc", to_string=True).splitlines():
+3360 if x.startswith("exe = "):
+3361 return x.split(" = ")[1].replace("'", "")
+3362 return None
+ + +3365@deprecated("Use `gef.session.os`")
+3366def get_os() -> str:
+3367 return gef.session.os
+ + +3370@lru_cache()
+3371def is_qemu() -> bool:
+3372 if not is_remote_debug():
+3373 return False
+3374 response = gdb.execute("maintenance packet Qqemu.sstepbits", to_string=True, from_tty=False)
+3375 return "ENABLE=" in response
+ + +3378@lru_cache()
+3379def is_qemu_usermode() -> bool:
+3380 if not is_qemu():
+3381 return False
+3382 response = gdb.execute("maintenance packet qOffsets", to_string=True, from_tty=False)
+3383 return "Text=" in response
+ + +3386@lru_cache()
+3387def is_qemu_system() -> bool:
+3388 if not is_qemu():
+3389 return False
+3390 response = gdb.execute("maintenance packet qOffsets", to_string=True, from_tty=False)
+3391 return "received: \"\"" in response
+ + +3394def get_filepath() -> Optional[str]:
+3395 """Return the local absolute path of the file currently debugged."""
+3396 if gef.session.remote:
+3397 return str(gef.session.remote.lfile.absolute())
+3398 if gef.session.file: 3398 ↛ 3400line 3398 didn't jump to line 3400, because the condition on line 3398 was never false
+3399 return str(gef.session.file.absolute())
+3400 return None
+ + +3403def get_function_length(sym: str) -> int:
+3404 """Attempt to get the length of the raw bytes of a function."""
+3405 dis = gdb.execute(f"disassemble {sym}", to_string=True).splitlines()
+3406 start_addr = int(dis[1].split()[0], 16)
+3407 end_addr = int(dis[-2].split()[0], 16)
+3408 return end_addr - start_addr
+ + +3411@lru_cache()
+3412def get_info_files() -> List[Zone]:
+3413 """Retrieve all the files loaded by debuggee."""
+3414 lines = gdb.execute("info files", to_string=True).splitlines()
+3415 infos = []
+3416 for line in lines:
+3417 line = line.strip()
+3418 if not line: 3418 ↛ 3419line 3418 didn't jump to line 3419, because the condition on line 3418 was never true
+3419 break
+ +3421 if not line.startswith("0x"):
+3422 continue
+ +3424 blobs = [x.strip() for x in line.split(" ")]
+3425 addr_start = int(blobs[0], 16)
+3426 addr_end = int(blobs[2], 16)
+3427 section_name = blobs[4]
+ +3429 if len(blobs) == 7:
+3430 filename = blobs[6]
+3431 else:
+3432 filename = get_filepath()
+ +3434 infos.append(Zone(section_name, addr_start, addr_end, filename))
+3435 return infos
+ + +3438def process_lookup_address(address: int) -> Optional[Section]:
+3439 """Look up for an address in memory.
+3440 Return an Address object if found, None otherwise."""
+3441 if not is_alive(): 3441 ↛ 3442line 3441 didn't jump to line 3442, because the condition on line 3441 was never true
+3442 err("Process is not running")
+3443 return None
+ +3445 if is_x86(): 3445 ↛ 3449line 3445 didn't jump to line 3449, because the condition on line 3445 was never false
+3446 if is_in_x86_kernel(address): 3446 ↛ 3447line 3446 didn't jump to line 3447, because the condition on line 3446 was never true
+3447 return None
+ +3449 for sect in gef.memory.maps:
+3450 if sect.page_start <= address < sect.page_end:
+3451 return sect
+ +3453 return None
+ + +3456@lru_cache()
+3457def process_lookup_path(name: str, perm: Permission = Permission.ALL) -> Optional[Section]:
+3458 """Look up for a path in the process memory mapping.
+3459 Return a Section object if found, None otherwise."""
+3460 if not is_alive(): 3460 ↛ 3461line 3460 didn't jump to line 3461, because the condition on line 3460 was never true
+3461 err("Process is not running")
+3462 return None
+ +3464 for sect in gef.memory.maps: 3464 ↛ 3468line 3464 didn't jump to line 3468, because the loop on line 3464 didn't complete
+3465 if name in sect.path and sect.permission & perm:
+3466 return sect
+ +3468 return None
+ + +3471@lru_cache()
+3472def file_lookup_name_path(name: str, path: str) -> Optional[Zone]:
+3473 """Look up a file by name and path.
+3474 Return a Zone object if found, None otherwise."""
+3475 for xfile in get_info_files(): 3475 ↛ 3478line 3475 didn't jump to line 3478, because the loop on line 3475 didn't complete
+3476 if path == xfile.filename and name == xfile.name:
+3477 return xfile
+3478 return None
+ + +3481@lru_cache()
+3482def file_lookup_address(address: int) -> Optional[Zone]:
+3483 """Look up for a file by its address.
+3484 Return a Zone object if found, None otherwise."""
+3485 for info in get_info_files():
+3486 if info.zone_start <= address < info.zone_end:
+3487 return info
+3488 return None
+ + +3491@lru_cache()
+3492def lookup_address(address: int) -> Address:
+3493 """Try to find the address in the process address space.
+3494 Return an Address object, with validity flag set based on success."""
+3495 sect = process_lookup_address(address)
+3496 info = file_lookup_address(address)
+3497 if sect is None and info is None:
+3498 # i.e. there is no info on this address
+3499 return Address(value=address, valid=False)
+3500 return Address(value=address, section=sect, info=info)
+ + +3503def xor(data: ByteString, key: str) -> bytearray:
+3504 """Return `data` xor-ed with `key`."""
+3505 key_raw = binascii.unhexlify(key.lstrip("0x"))
+3506 return bytearray(x ^ y for x, y in zip(data, itertools.cycle(key_raw)))
+ + +3509def is_hex(pattern: str) -> bool:
+3510 """Return whether provided string is a hexadecimal value."""
+3511 if not pattern.lower().startswith("0x"):
+3512 return False
+3513 return len(pattern) % 2 == 0 and all(c in string.hexdigits for c in pattern[2:])
+ + +3516def continue_handler(_: "gdb.ContinueEvent") -> None:
+3517 """GDB event handler for new object continue cases."""
+3518 return
+ + +3521def hook_stop_handler(_: "gdb.StopEvent") -> None:
+3522 """GDB event handler for stop cases."""
+3523 reset_all_caches()
+3524 gdb.execute("context")
+3525 return
+ + +3528def new_objfile_handler(evt: Optional["gdb.NewObjFileEvent"]) -> None:
+3529 """GDB event handler for new object file cases."""
+3530 reset_all_caches()
+3531 path = evt.new_objfile.filename if evt else gdb.current_progspace().filename
+3532 try:
+3533 if gef.session.root and path.startswith("target:"): 3533 ↛ 3536line 3533 didn't jump to line 3536, because the condition on line 3533 was never true
+3534 # If the process is in a container, replace the "target:" prefix
+3535 # with the actual root directory of the process.
+3536 path = path.replace("target:", str(gef.session.root), 1)
+3537 target = pathlib.Path(path)
+3538 FileFormatClasses = list(filter(lambda fmtcls: fmtcls.is_valid(target), __registered_file_formats__))
+3539 GuessedFileFormatClass : Type[FileFormat] = FileFormatClasses.pop() if len(FileFormatClasses) else Elf
+3540 binary = GuessedFileFormatClass(target)
+3541 if not gef.binary:
+3542 gef.binary = binary
+3543 reset_architecture()
+3544 else:
+3545 gef.session.modules.append(binary)
+3546 except FileNotFoundError as fne: 3546 ↛ 3552line 3546 didn't jump to line 3552
+3547 # Linux automatically maps the vDSO into our process, and GDB
+3548 # will give us the string 'system-supplied DSO' as a path.
+3549 # This is normal, so we shouldn't warn the user about it
+3550 if "system-supplied DSO" not in path: 3550 ↛ 3551line 3550 didn't jump to line 3551, because the condition on line 3550 was never true
+3551 warn(f"Failed to find objfile or not a valid file format: {str(fne)}")
+3552 except RuntimeError as re:
+3553 warn(f"Not a valid file format: {str(re)}")
+3554 return
+ + +3557def exit_handler(_: "gdb.ExitedEvent") -> None:
+3558 """GDB event handler for exit cases."""
+3559 global gef
+3560 # flush the caches
+3561 reset_all_caches()
+ +3563 # disconnect properly the remote session
+3564 gef.session.qemu_mode = False
+3565 if gef.session.remote:
+3566 gef.session.remote.close()
+3567 del gef.session.remote
+3568 gef.session.remote = None
+3569 gef.session.remote_initializing = False
+ +3571 # if `autosave_breakpoints_file` setting is configured, save the breakpoints to disk
+3572 setting = (gef.config["gef.autosave_breakpoints_file"] or "").strip()
+3573 if not setting: 3573 ↛ 3576line 3573 didn't jump to line 3576, because the condition on line 3573 was never false
+3574 return
+ +3576 bkp_fpath = pathlib.Path(setting).expanduser().absolute()
+3577 if bkp_fpath.exists():
+3578 warn(f"{bkp_fpath} exists, content will be overwritten")
+ +3580 with bkp_fpath.open("w") as fd:
+3581 for bp in gdb.breakpoints():
+3582 if not bp.enabled or not bp.is_valid:
+3583 continue
+3584 fd.write(f"{'t' if bp.temporary else ''}break {bp.location}\n")
+3585 return
+ + +3588def memchanged_handler(_: "gdb.MemoryChangedEvent") -> None:
+3589 """GDB event handler for mem changes cases."""
+3590 reset_all_caches()
+3591 return
+ + +3594def regchanged_handler(_: "gdb.RegisterChangedEvent") -> None:
+3595 """GDB event handler for reg changes cases."""
+3596 reset_all_caches()
+3597 return
+ + +3600def get_terminal_size() -> Tuple[int, int]:
+3601 """Return the current terminal size."""
+3602 if is_debug(): 3602 ↛ 3605line 3602 didn't jump to line 3605, because the condition on line 3602 was never false
+3603 return 600, 100
+ +3605 if platform.system() == "Windows":
+3606 from ctypes import create_string_buffer, windll
+3607 hStdErr = -12
+3608 herr = windll.kernel32.GetStdHandle(hStdErr)
+3609 csbi = create_string_buffer(22)
+3610 res = windll.kernel32.GetConsoleScreenBufferInfo(herr, csbi)
+3611 if res:
+3612 _, _, _, _, _, left, top, right, bottom, _, _ = struct.unpack("hhhhHhhhhhh", csbi.raw)
+3613 tty_columns = right - left + 1
+3614 tty_rows = bottom - top + 1
+3615 return tty_rows, tty_columns
+3616 else:
+3617 return 600, 100
+3618 else:
+3619 import fcntl
+3620 import termios
+3621 try:
+3622 tty_rows, tty_columns = struct.unpack("hh", fcntl.ioctl(1, termios.TIOCGWINSZ, "1234")) # type: ignore
+3623 return tty_rows, tty_columns
+3624 except OSError:
+3625 return 600, 100
+ + +3628@lru_cache()
+3629def is_64bit() -> bool:
+3630 """Checks if current target is 64bit."""
+3631 return gef.arch.ptrsize == 8
+ + +3634@lru_cache()
+3635def is_32bit() -> bool:
+3636 """Checks if current target is 32bit."""
+3637 return gef.arch.ptrsize == 4
+ + +3640@lru_cache()
+3641def is_x86_64() -> bool:
+3642 """Checks if current target is x86-64"""
+3643 return Elf.Abi.X86_64 in gef.arch.aliases
+ + +3646@lru_cache()
+3647def is_x86_32():
+3648 """Checks if current target is an x86-32"""
+3649 return Elf.Abi.X86_32 in gef.arch.aliases
+ + +3652@lru_cache()
+3653def is_x86() -> bool:
+3654 return is_x86_32() or is_x86_64()
+ + +3657@lru_cache()
+3658def is_arch(arch: Elf.Abi) -> bool:
+3659 return arch in gef.arch.aliases
+ + +3662def reset_architecture(arch: Optional[str] = None) -> None:
+3663 """Sets the current architecture.
+3664 If an architecture is explicitly specified by parameter, try to use that one. If this fails, an `OSError`
+3665 exception will occur.
+3666 If no architecture is specified, then GEF will attempt to determine automatically based on the current
+3667 ELF target. If this fails, an `OSError` exception will occur.
+3668 """
+3669 global gef
+3670 arches = __registered_architectures__
+ +3672 # check if the architecture is forced by parameter
+3673 if arch: 3673 ↛ 3674line 3673 didn't jump to line 3674, because the condition on line 3673 was never true
+3674 try:
+3675 gef.arch = arches[arch]()
+3676 except KeyError:
+3677 raise OSError(f"Specified arch {arch.upper()} is not supported")
+3678 return
+ +3680 gdb_arch = get_arch()
+ +3682 preciser_arch = next((a for a in arches.values() if a.supports_gdb_arch(gdb_arch)), None)
+3683 if preciser_arch: 3683 ↛ 3684line 3683 didn't jump to line 3684, because the condition on line 3683 was never true
+3684 gef.arch = preciser_arch()
+3685 return
+ +3687 # last resort, use the info from elf header to find it from the known architectures
+3688 try:
+3689 arch_name = gef.binary.e_machine if gef.binary else gdb_arch
+3690 gef.arch = arches[arch_name]()
+3691 except KeyError:
+3692 raise OSError(f"CPU type is currently not supported: {get_arch()}")
+3693 return
+ + +3696@lru_cache()
+3697def cached_lookup_type(_type: str) -> Optional[gdb.Type]:
+3698 try:
+3699 return gdb.lookup_type(_type).strip_typedefs()
+3700 except RuntimeError:
+3701 return None
+ + +3704@deprecated("Use `gef.arch.ptrsize` instead")
+3705def get_memory_alignment(in_bits: bool = False) -> int:
+3706 """Try to determine the size of a pointer on this system.
+3707 First, try to parse it out of the ELF header.
+3708 Next, use the size of `size_t`.
+3709 Finally, try the size of $pc.
+3710 If `in_bits` is set to True, the result is returned in bits, otherwise in
+3711 bytes."""
+3712 res = cached_lookup_type("size_t")
+3713 if res is not None:
+3714 return res.sizeof if not in_bits else res.sizeof * 8
+ +3716 try:
+3717 return gdb.parse_and_eval("$pc").type.sizeof
+3718 except:
+3719 pass
+ +3721 raise OSError("GEF is running under an unsupported mode")
+ + +3724def clear_screen(tty: str = "") -> None:
+3725 """Clear the screen."""
+3726 global gef
+3727 if not tty: 3727 ↛ 3733line 3727 didn't jump to line 3733, because the condition on line 3727 was never false
+3728 gdb.execute("shell clear -x")
+3729 return
+ +3731 # Since the tty can be closed at any time, a PermissionError exception can
+3732 # occur when `clear_screen` is called. We handle this scenario properly
+3733 try:
+3734 with open(tty, "wt") as f:
+3735 f.write("\x1b[H\x1b[J")
+3736 except PermissionError:
+3737 gef.ui.redirect_fd = None
+3738 gef.config["context.redirect"] = ""
+3739 return
+ + +3742def format_address(addr: int) -> str:
+3743 """Format the address according to its size."""
+3744 memalign_size = gef.arch.ptrsize
+3745 addr = align_address(addr)
+ +3747 if memalign_size == 4: 3747 ↛ 3748line 3747 didn't jump to line 3748, because the condition on line 3747 was never true
+3748 return f"0x{addr:08x}"
+ +3750 return f"0x{addr:016x}"
+ + +3753def format_address_spaces(addr: int, left: bool = True) -> str:
+3754 """Format the address according to its size, but with spaces instead of zeroes."""
+3755 width = gef.arch.ptrsize * 2 + 2
+3756 addr = align_address(addr)
+ +3758 if not left: 3758 ↛ 3759line 3758 didn't jump to line 3759, because the condition on line 3758 was never true
+3759 return f"{addr:#x}".rjust(width)
+ +3761 return f"{addr:#x}".ljust(width)
+ + +3764def align_address(address: int) -> int:
+3765 """Align the provided address to the process's native length."""
+3766 if gef.arch.ptrsize == 4: 3766 ↛ 3767line 3766 didn't jump to line 3767, because the condition on line 3766 was never true
+3767 return address & 0xFFFFFFFF
+ +3769 return address & 0xFFFFFFFFFFFFFFFF
+ + +3772def align_address_to_size(address: int, align: int) -> int:
+3773 """Align the address to the given size."""
+3774 return address + ((align - (address % align)) % align)
+ + +3777def align_address_to_page(address: int) -> int:
+3778 """Align the address to a page."""
+3779 a = align_address(address) >> DEFAULT_PAGE_ALIGN_SHIFT
+3780 return a << DEFAULT_PAGE_ALIGN_SHIFT
+ + +3783def parse_address(address: str) -> int:
+3784 """Parse an address and return it as an Integer."""
+3785 if is_hex(address):
+3786 return int(address, 16)
+3787 return to_unsigned_long(gdb.parse_and_eval(address))
+ + +3790def is_in_x86_kernel(address: int) -> bool:
+3791 address = align_address(address)
+3792 memalign = gef.arch.ptrsize*8 - 1
+3793 return (address >> memalign) == 0xF
+ + +3796def is_remote_debug() -> bool:
+3797 """"Return True is the current debugging session is running through GDB remote session."""
+3798 return gef.session.remote_initializing or gef.session.remote is not None
+ + +3801def de_bruijn(alphabet: bytes, n: int) -> Generator[str, None, None]:
+3802 """De Bruijn sequence for alphabet and subsequences of length n (for compat. w/ pwnlib)."""
+3803 k = len(alphabet)
+3804 a = [0] * k * n
+ +3806 def db(t: int, p: int) -> Generator[str, None, None]:
+3807 if t > n:
+3808 if n % p == 0:
+3809 for j in range(1, p + 1):
+3810 yield alphabet[a[j]]
+3811 else:
+3812 a[t] = a[t - p]
+3813 yield from db(t + 1, p)
+ +3815 for j in range(a[t - p] + 1, k):
+3816 a[t] = j
+3817 yield from db(t + 1, t)
+ +3819 return db(1, 1)
+ + +3822def generate_cyclic_pattern(length: int, cycle: int = 4) -> bytearray:
+3823 """Create a `length` byte bytearray of a de Bruijn cyclic pattern."""
+3824 charset = bytearray(b"abcdefghijklmnopqrstuvwxyz")
+3825 return bytearray(itertools.islice(de_bruijn(charset, cycle), length))
+ + +3828def safe_parse_and_eval(value: str) -> Optional["gdb.Value"]:
+3829 """GEF wrapper for gdb.parse_and_eval(): this function returns None instead of raising
+3830 gdb.error if the eval failed."""
+3831 try:
+3832 return gdb.parse_and_eval(value)
+3833 except gdb.error:
+3834 pass
+3835 return None
+ + +3838@lru_cache()
+3839def dereference(addr: int) -> Optional["gdb.Value"]:
+3840 """GEF wrapper for gdb dereference function."""
+3841 try:
+3842 ulong_t = cached_lookup_type(use_stdtype()) or \
+3843 cached_lookup_type(use_default_type()) or \
+3844 cached_lookup_type(use_golang_type()) or \
+3845 cached_lookup_type(use_rust_type())
+3846 unsigned_long_type = ulong_t.pointer()
+3847 res = gdb.Value(addr).cast(unsigned_long_type).dereference()
+3848 # GDB does lazy fetch by default so we need to force access to the value
+3849 res.fetch_lazy()
+3850 return res
+3851 except gdb.MemoryError:
+3852 pass
+3853 return None
+ + +3856def gef_convenience(value: Union[str, bytes]) -> str:
+3857 """Defines a new convenience value."""
+3858 global gef
+3859 var_name = f"$_gef{gef.session.convenience_vars_index:d}"
+3860 gef.session.convenience_vars_index += 1
+3861 if isinstance(value, str):
+3862 gdb.execute(f"""set {var_name} = "{value}" """)
+3863 elif isinstance(value, bytes): 3863 ↛ 3867line 3863 didn't jump to line 3867, because the condition on line 3863 was never false
+3864 value_as_array = "{" + ", ".join(["%#.02x" % x for x in value]) + "}"
+3865 gdb.execute(f"""set {var_name} = {value_as_array} """)
+3866 else:
+3867 raise TypeError
+3868 return var_name
+ + +3871def parse_string_range(s: str) -> Iterator[int]:
+3872 """Parses an address range (e.g. 0x400000-0x401000)"""
+3873 addrs = s.split("-")
+3874 return map(lambda x: int(x, 16), addrs)
+ + +3877@lru_cache()
+3878def is_syscall(instruction: Union[Instruction,int]) -> bool:
+3879 """Checks whether an instruction or address points to a system call."""
+3880 if isinstance(instruction, int):
+3881 instruction = gef_current_instruction(instruction)
+3882 insn_str = instruction.mnemonic
+3883 if len(instruction.operands):
+3884 insn_str += f" {', '.join(instruction.operands)}"
+3885 return insn_str in gef.arch.syscall_instructions
+ + +3888#
+3889# Deprecated API
+3890#
+ +3892@deprecated("Use `gef.session.pie_breakpoints[num]`")
+3893def gef_get_pie_breakpoint(num: int) -> "PieVirtualBreakpoint":
+3894 return gef.session.pie_breakpoints[num]
+ + +3897@deprecated("Use `str(gef.arch.endianness)` instead")
+3898def endian_str() -> str:
+3899 return str(gef.arch.endianness)
+ + +3902@deprecated("Use `gef.config[key]`")
+3903def get_gef_setting(name: str) -> Any:
+3904 return gef.config[name]
+ + +3907@deprecated("Use `gef.config[key] = value`")
+3908def set_gef_setting(name: str, value: Any) -> None:
+3909 gef.config[name] = value
+3910 return
+ + +3913@deprecated("Use `gef.session.pagesize`")
+3914def gef_getpagesize() -> int:
+3915 return gef.session.pagesize
+ + +3918@deprecated("Use `gef.session.canary`")
+3919def gef_read_canary() -> Optional[Tuple[int, int]]:
+3920 return gef.session.canary
+ + +3923@deprecated("Use `gef.session.pid`")
+3924def get_pid() -> int:
+3925 return gef.session.pid
+ + +3928@deprecated("Use `gef.session.file.name`")
+3929def get_filename() -> str:
+3930 return gef.session.file.name
+ + +3933@deprecated("Use `gef.heap.main_arena`")
+3934def get_glibc_arena() -> Optional[GlibcArena]:
+3935 return gef.heap.main_arena
+ + +3938@deprecated("Use `gef.arch.register(regname)`")
+3939def get_register(regname) -> Optional[int]:
+3940 return gef.arch.register(regname)
+ + +3943@deprecated("Use `gef.memory.maps`")
+3944def get_process_maps() -> List[Section]:
+3945 return gef.memory.maps
+ + +3948@deprecated("Use `reset_architecture`")
+3949def set_arch(arch: Optional[str] = None, _: Optional[str] = None) -> None:
+3950 return reset_architecture(arch)
+ +3952#
+3953# GDB event hooking
+3954#
+ +3956@only_if_events_supported("cont")
+3957def gef_on_continue_hook(func: Callable[["gdb.ContinueEvent"], None]) -> None:
+3958 gdb.events.cont.connect(func)
+ + +3961@only_if_events_supported("cont")
+3962def gef_on_continue_unhook(func: Callable[["gdb.ThreadEvent"], None]) -> None:
+3963 gdb.events.cont.disconnect(func)
+ + +3966@only_if_events_supported("stop")
+3967def gef_on_stop_hook(func: Callable[["gdb.StopEvent"], None]) -> None:
+3968 gdb.events.stop.connect(func)
+ + +3971@only_if_events_supported("stop")
+3972def gef_on_stop_unhook(func: Callable[["gdb.StopEvent"], None]) -> None:
+3973 gdb.events.stop.disconnect(func)
+ + +3976@only_if_events_supported("exited")
+3977def gef_on_exit_hook(func: Callable[["gdb.ExitedEvent"], None]) -> None:
+3978 gdb.events.exited.connect(func)
+ + +3981@only_if_events_supported("exited")
+3982def gef_on_exit_unhook(func: Callable[["gdb.ExitedEvent"], None]) -> None:
+3983 gdb.events.exited.disconnect(func)
+ + +3986@only_if_events_supported("new_objfile")
+3987def gef_on_new_hook(func: Callable[["gdb.NewObjFileEvent"], None]) -> None:
+3988 gdb.events.new_objfile.connect(func)
+ + +3991@only_if_events_supported("new_objfile")
+3992def gef_on_new_unhook(func: Callable[["gdb.NewObjFileEvent"], None]) -> None:
+3993 gdb.events.new_objfile.disconnect(func)
+ + +3996@only_if_events_supported("clear_objfiles")
+3997def gef_on_unload_objfile_hook(func: Callable[["gdb.ClearObjFilesEvent"], None]) -> None:
+3998 gdb.events.clear_objfiles.connect(func)
+ + +4001@only_if_events_supported("clear_objfiles")
+4002def gef_on_unload_objfile_unhook(func: Callable[["gdb.ClearObjFilesEvent"], None]) -> None:
+4003 gdb.events.clear_objfiles.disconnect(func)
+ + +4006@only_if_events_supported("memory_changed")
+4007def gef_on_memchanged_hook(func: Callable[["gdb.MemoryChangedEvent"], None]) -> None:
+4008 gdb.events.memory_changed.connect(func)
+ + +4011@only_if_events_supported("memory_changed")
+4012def gef_on_memchanged_unhook(func: Callable[["gdb.MemoryChangedEvent"], None]) -> None:
+4013 gdb.events.memory_changed.disconnect(func)
+ + +4016@only_if_events_supported("register_changed")
+4017def gef_on_regchanged_hook(func: Callable[["gdb.RegisterChangedEvent"], None]) -> None:
+4018 gdb.events.register_changed.connect(func)
+ + +4021@only_if_events_supported("register_changed")
+4022def gef_on_regchanged_unhook(func: Callable[["gdb.RegisterChangedEvent"], None]) -> None:
+4023 gdb.events.register_changed.disconnect(func)
+ + +4026#
+4027# Virtual breakpoints
+4028#
+ +4030class PieVirtualBreakpoint:
+4031 """PIE virtual breakpoint (not real breakpoint)."""
+ +4033 def __init__(self, set_func: Callable[[int], str], vbp_num: int, addr: int) -> None:
+4034 # set_func(base): given a base address return a
+4035 # "set breakpoint" gdb command string
+4036 self.set_func = set_func
+4037 self.vbp_num = vbp_num
+4038 # breakpoint num, 0 represents not instantiated yet
+4039 self.bp_num = 0
+4040 self.bp_addr = 0
+4041 # this address might be a symbol, just to know where to break
+4042 if isinstance(addr, int): 4042 ↛ 4045line 4042 didn't jump to line 4045, because the condition on line 4042 was never false
+4043 self.addr: Union[int, str] = hex(addr)
+4044 else:
+4045 self.addr = addr
+4046 return
+ +4048 def instantiate(self, base: int) -> None:
+4049 if self.bp_num: 4049 ↛ 4050line 4049 didn't jump to line 4050, because the condition on line 4049 was never true
+4050 self.destroy()
+ +4052 try:
+4053 res = gdb.execute(self.set_func(base), to_string=True)
+4054 except gdb.error as e:
+4055 err(e)
+4056 return
+ +4058 if "Breakpoint" not in res: 4058 ↛ 4059line 4058 didn't jump to line 4059, because the condition on line 4058 was never true
+4059 err(res)
+4060 return
+4061 res_list = res.split()
+4062 self.bp_num = res_list[1]
+4063 self.bp_addr = res_list[3]
+4064 return
+ +4066 def destroy(self) -> None:
+4067 if not self.bp_num:
+4068 err("Destroy PIE breakpoint not even set")
+4069 return
+4070 gdb.execute(f"delete {self.bp_num}")
+4071 self.bp_num = 0
+4072 return
+ + +4075#
+4076# Breakpoints
+4077#
+ +4079class FormatStringBreakpoint(gdb.Breakpoint):
+4080 """Inspect stack for format string."""
+4081 def __init__(self, spec: str, num_args: int) -> None:
+4082 super().__init__(spec, type=gdb.BP_BREAKPOINT, internal=False)
+4083 self.num_args = num_args
+4084 self.enabled = True
+4085 return
+ +4087 def stop(self) -> bool:
+4088 reset_all_caches()
+4089 msg = []
+4090 ptr, addr = gef.arch.get_ith_parameter(self.num_args)
+4091 addr = lookup_address(addr)
+ +4093 if not addr.valid: 4093 ↛ 4094line 4093 didn't jump to line 4094, because the condition on line 4093 was never true
+4094 return False
+ +4096 if addr.section.is_writable(): 4096 ↛ 4106line 4096 didn't jump to line 4106, because the condition on line 4096 was never false
+4097 content = gef.memory.read_cstring(addr.value)
+4098 name = addr.info.name if addr.info else addr.section.path
+4099 msg.append(Color.colorify("Format string helper", "yellow bold"))
+4100 msg.append(f"Possible insecure format string: {self.location}('{ptr}' {RIGHT_ARROW} {addr.value:#x}: '{content}')")
+4101 msg.append(f"Reason: Call to '{self.location}()' with format string argument in position "
+4102 f"#{self.num_args:d} is in page {addr.section.page_start:#x} ({name}) that has write permission")
+4103 push_context_message("warn", "\n".join(msg))
+4104 return True
+ +4106 return False
+ + +4109class StubBreakpoint(gdb.Breakpoint):
+4110 """Create a breakpoint to permanently disable a call (fork/alarm/signal/etc.)."""
+ +4112 def __init__(self, func: str, retval: Optional[int]) -> None:
+4113 super().__init__(func, gdb.BP_BREAKPOINT, internal=False)
+4114 self.func = func
+4115 self.retval = retval
+ +4117 m = f"All calls to '{self.func}' will be skipped"
+4118 if self.retval is not None: 4118 ↛ 4120line 4118 didn't jump to line 4120, because the condition on line 4118 was never false
+4119 m += f" (with return value set to {self.retval:#x})"
+4120 info(m)
+4121 return
+ +4123 def stop(self) -> bool:
+4124 gdb.execute(f"return (unsigned int){self.retval:#x}")
+4125 ok(f"Ignoring call to '{self.func}' "
+4126 f"(setting return value to {self.retval:#x})")
+4127 return False
+ + +4130class ChangePermissionBreakpoint(gdb.Breakpoint):
+4131 """When hit, this temporary breakpoint will restore the original code, and position
+4132 $pc correctly."""
+ +4134 def __init__(self, loc: str, code: ByteString, pc: int) -> None:
+4135 super().__init__(loc, gdb.BP_BREAKPOINT, internal=False)
+4136 self.original_code = code
+4137 self.original_pc = pc
+4138 return
+ +4140 def stop(self) -> bool:
+4141 info("Restoring original context")
+4142 gef.memory.write(self.original_pc, self.original_code, len(self.original_code))
+4143 info("Restoring $pc")
+4144 gdb.execute(f"set $pc = {self.original_pc:#x}")
+4145 return True
+ + +4148class TraceMallocBreakpoint(gdb.Breakpoint):
+4149 """Track allocations done with malloc() or calloc()."""
+ +4151 def __init__(self, name: str) -> None:
+4152 super().__init__(name, gdb.BP_BREAKPOINT, internal=True)
+4153 self.silent = True
+4154 self.name = name
+4155 return
+ +4157 def stop(self) -> bool:
+4158 reset_all_caches()
+4159 _, size = gef.arch.get_ith_parameter(0)
+4160 self.retbp = TraceMallocRetBreakpoint(size, self.name)
+4161 return False
+ + +4164class TraceMallocRetBreakpoint(gdb.FinishBreakpoint):
+4165 """Internal temporary breakpoint to retrieve the return value of malloc()."""
+ +4167 def __init__(self, size: int, name: str) -> None:
+4168 super().__init__(gdb.newest_frame(), internal=True)
+4169 self.size = size
+4170 self.name = name
+4171 self.silent = True
+4172 return
+ +4174 def stop(self) -> bool:
+4175 if self.return_value: 4175 ↛ 4178line 4175 didn't jump to line 4178, because the condition on line 4175 was never false
+4176 loc = int(self.return_value)
+4177 else:
+4178 loc = parse_address(gef.arch.return_register)
+ +4180 size = self.size
+4181 ok(f"{Color.colorify('Heap-Analysis', 'yellow bold')} - {self.name}({size})={loc:#x}")
+4182 check_heap_overlap = gef.config["heap-analysis-helper.check_heap_overlap"]
+ +4184 # pop from free-ed list if it was in it
+4185 if gef.session.heap_freed_chunks: 4185 ↛ 4186line 4185 didn't jump to line 4186, because the condition on line 4185 was never true
+4186 idx = 0
+4187 for item in gef.session.heap_freed_chunks:
+4188 addr = item[0]
+4189 if addr == loc:
+4190 gef.session.heap_freed_chunks.remove(item)
+4191 continue
+4192 idx += 1
+ +4194 # pop from uaf watchlist
+4195 if gef.session.heap_uaf_watchpoints: 4195 ↛ 4196line 4195 didn't jump to line 4196, because the condition on line 4195 was never true
+4196 idx = 0
+4197 for wp in gef.session.heap_uaf_watchpoints:
+4198 wp_addr = wp.address
+4199 if loc <= wp_addr < loc + size:
+4200 gef.session.heap_uaf_watchpoints.remove(wp)
+4201 wp.enabled = False
+4202 continue
+4203 idx += 1
+ +4205 item = (loc, size)
+ +4207 if check_heap_overlap: 4207 ↛ 4229line 4207 didn't jump to line 4229, because the condition on line 4207 was never false
+4208 # seek all the currently allocated chunks, read their effective size and check for overlap
+4209 msg = []
+4210 align = gef.arch.ptrsize
+4211 for chunk_addr, _ in gef.session.heap_allocated_chunks:
+4212 current_chunk = GlibcChunk(chunk_addr)
+4213 current_chunk_size = current_chunk.size
+ +4215 if chunk_addr <= loc < chunk_addr + current_chunk_size: 4215 ↛ 4216line 4215 didn't jump to line 4216, because the condition on line 4215 was never true
+4216 offset = loc - chunk_addr - 2*align
+4217 if offset < 0: continue # false positive, discard
+ +4219 msg.append(Color.colorify("Heap-Analysis", "yellow bold"))
+4220 msg.append("Possible heap overlap detected")
+4221 msg.append(f"Reason {RIGHT_ARROW} new allocated chunk {loc:#x} (of size {size:d}) overlaps in-used chunk {chunk_addr:#x} (of size {current_chunk_size:#x})")
+4222 msg.append(f"Writing {offset:d} bytes from {chunk_addr:#x} will reach chunk {loc:#x}")
+4223 msg.append(f"Payload example for chunk {chunk_addr:#x} (to overwrite {loc:#x} headers):")
+4224 msg.append(" data = 'A'*{0:d} + 'B'*{1:d} + 'C'*{1:d}".format(offset, align))
+4225 push_context_message("warn", "\n".join(msg))
+4226 return True
+ +4228 # add it to alloc-ed list
+4229 gef.session.heap_allocated_chunks.append(item)
+4230 return False
+ + +4233class TraceReallocBreakpoint(gdb.Breakpoint):
+4234 """Track re-allocations done with realloc()."""
+ +4236 def __init__(self) -> None:
+4237 super().__init__("__libc_realloc", gdb.BP_BREAKPOINT, internal=True)
+4238 self.silent = True
+4239 return
+ +4241 def stop(self) -> bool:
+4242 _, ptr = gef.arch.get_ith_parameter(0)
+4243 _, size = gef.arch.get_ith_parameter(1)
+4244 self.retbp = TraceReallocRetBreakpoint(ptr, size)
+4245 return False
+ + +4248class TraceReallocRetBreakpoint(gdb.FinishBreakpoint):
+4249 """Internal temporary breakpoint to retrieve the return value of realloc()."""
+ +4251 def __init__(self, ptr: int, size: int) -> None:
+4252 super().__init__(gdb.newest_frame(), internal=True)
+4253 self.ptr = ptr
+4254 self.size = size
+4255 self.silent = True
+4256 return
+ +4258 def stop(self) -> bool:
+4259 if self.return_value: 4259 ↛ 4262line 4259 didn't jump to line 4262, because the condition on line 4259 was never false
+4260 newloc = int(self.return_value)
+4261 else:
+4262 newloc = parse_address(gef.arch.return_register)
+ +4264 if newloc != self: 4264 ↛ 4269line 4264 didn't jump to line 4269, because the condition on line 4264 was never false
+4265 ok("{} - realloc({:#x}, {})={}".format(Color.colorify("Heap-Analysis", "yellow bold"),
+4266 self.ptr, self.size,
+4267 Color.colorify(f"{newloc:#x}", "green"),))
+4268 else:
+4269 ok("{} - realloc({:#x}, {})={}".format(Color.colorify("Heap-Analysis", "yellow bold"),
+4270 self.ptr, self.size,
+4271 Color.colorify(f"{newloc:#x}", "red"),))
+ +4273 item = (newloc, self.size)
+ +4275 try:
+4276 # check if item was in alloc-ed list
+4277 idx = [x for x, y in gef.session.heap_allocated_chunks].index(self.ptr)
+4278 # if so pop it out
+4279 item = gef.session.heap_allocated_chunks.pop(idx)
+4280 except ValueError:
+4281 if is_debug():
+4282 warn(f"Chunk {self.ptr:#x} was not in tracking list")
+4283 finally:
+4284 # add new item to alloc-ed list
+4285 gef.session.heap_allocated_chunks.append(item)
+ +4287 return False
+ + +4290class TraceFreeBreakpoint(gdb.Breakpoint):
+4291 """Track calls to free() and attempts to detect inconsistencies."""
+ +4293 def __init__(self) -> None:
+4294 super().__init__("__libc_free", gdb.BP_BREAKPOINT, internal=True)
+4295 self.silent = True
+4296 return
+ +4298 def stop(self) -> bool:
+4299 reset_all_caches()
+4300 _, addr = gef.arch.get_ith_parameter(0)
+4301 msg = []
+4302 check_free_null = gef.config["heap-analysis-helper.check_free_null"]
+4303 check_double_free = gef.config["heap-analysis-helper.check_double_free"]
+4304 check_weird_free = gef.config["heap-analysis-helper.check_weird_free"]
+4305 check_uaf = gef.config["heap-analysis-helper.check_uaf"]
+ +4307 ok(f"{Color.colorify('Heap-Analysis', 'yellow bold')} - free({addr:#x})")
+4308 if addr == 0: 4308 ↛ 4309line 4308 didn't jump to line 4309, because the condition on line 4308 was never true
+4309 if check_free_null:
+4310 msg.append(Color.colorify("Heap-Analysis", "yellow bold"))
+4311 msg.append(f"Attempting to free(NULL) at {gef.arch.pc:#x}")
+4312 msg.append("Reason: if NULL page is allocatable, this can lead to code execution.")
+4313 push_context_message("warn", "\n".join(msg))
+4314 return True
+4315 return False
+ +4317 if addr in [x for (x, y) in gef.session.heap_freed_chunks]: 4317 ↛ 4318line 4317 didn't jump to line 4318, because the condition on line 4317 was never true
+4318 if check_double_free:
+4319 msg.append(Color.colorify("Heap-Analysis", "yellow bold"))
+4320 msg.append(f"Double-free detected {RIGHT_ARROW} free({addr:#x}) is called at {gef.arch.pc:#x} but is already in the free-ed list")
+4321 msg.append("Execution will likely crash...")
+4322 push_context_message("warn", "\n".join(msg))
+4323 return True
+4324 return False
+ +4326 # if here, no error
+4327 # 1. move alloc-ed item to free list
+4328 try:
+4329 # pop from alloc-ed list
+4330 idx = [x for x, y in gef.session.heap_allocated_chunks].index(addr)
+4331 item = gef.session.heap_allocated_chunks.pop(idx)
+ +4333 except ValueError:
+4334 if check_weird_free:
+4335 msg.append(Color.colorify("Heap-Analysis", "yellow bold"))
+4336 msg.append("Heap inconsistency detected:")
+4337 msg.append(f"Attempting to free an unknown value: {addr:#x}")
+4338 push_context_message("warn", "\n".join(msg))
+4339 return True
+4340 return False
+ +4342 # 2. add it to free-ed list
+4343 gef.session.heap_freed_chunks.append(item)
+ +4345 self.retbp = None
+4346 if check_uaf: 4346 ↛ 4349line 4346 didn't jump to line 4349, because the condition on line 4346 was never false
+4347 # 3. (opt.) add a watchpoint on pointer
+4348 self.retbp = TraceFreeRetBreakpoint(addr)
+4349 return False
+ + +4352class TraceFreeRetBreakpoint(gdb.FinishBreakpoint):
+4353 """Internal temporary breakpoint to track free()d values."""
+ +4355 def __init__(self, addr: int) -> None:
+4356 super().__init__(gdb.newest_frame(), internal=True)
+4357 self.silent = True
+4358 self.addr = addr
+4359 return
+ +4361 def stop(self) -> bool:
+4362 reset_all_caches()
+4363 wp = UafWatchpoint(self.addr)
+4364 gef.session.heap_uaf_watchpoints.append(wp)
+4365 return False
+ + +4368class UafWatchpoint(gdb.Breakpoint):
+4369 """Custom watchpoints set TraceFreeBreakpoint() to monitor free()d pointers being used."""
+ +4371 def __init__(self, addr: int) -> None:
+4372 super().__init__(f"*{addr:#x}", gdb.BP_WATCHPOINT, internal=True)
+4373 self.address = addr
+4374 self.silent = True
+4375 self.enabled = True
+4376 return
+ +4378 def stop(self) -> bool:
+4379 """If this method is triggered, we likely have a UaF. Break the execution and report it."""
+4380 reset_all_caches()
+4381 frame = gdb.selected_frame()
+4382 if frame.name() in ("_int_malloc", "malloc_consolidate", "__libc_calloc", ):
+4383 return False
+ +4385 # software watchpoints stop after the next statement (see
+4386 # https://sourceware.org/gdb/onlinedocs/gdb/Set-Watchpoints.html)
+4387 pc = gdb_get_nth_previous_instruction_address(gef.arch.pc, 2)
+4388 insn = gef_current_instruction(pc)
+4389 msg = []
+4390 msg.append(Color.colorify("Heap-Analysis", "yellow bold"))
+4391 msg.append(f"Possible Use-after-Free in '{get_filepath()}': "
+4392 f"pointer {self.address:#x} was freed, but is attempted to be used at {pc:#x}")
+4393 msg.append(f"{insn.address:#x} {insn.mnemonic} {Color.yellowify(', '.join(insn.operands))}")
+4394 push_context_message("warn", "\n".join(msg))
+4395 return True
+ + +4398class EntryBreakBreakpoint(gdb.Breakpoint):
+4399 """Breakpoint used internally to stop execution at the most convenient entry point."""
+ +4401 def __init__(self, location: str) -> None:
+4402 super().__init__(location, gdb.BP_BREAKPOINT, internal=True, temporary=True)
+4403 self.silent = True
+4404 return
+ +4406 def stop(self) -> bool:
+4407 reset_all_caches()
+4408 return True
+ + +4411class NamedBreakpoint(gdb.Breakpoint):
+4412 """Breakpoint which shows a specified name, when hit."""
+ +4414 def __init__(self, location: str, name: str) -> None:
+4415 super().__init__(spec=location, type=gdb.BP_BREAKPOINT, internal=False, temporary=False)
+4416 self.name = name
+4417 self.loc = location
+4418 return
+ +4420 def stop(self) -> bool:
+4421 reset_all_caches()
+4422 push_context_message("info", f"Hit breakpoint {self.loc} ({Color.colorify(self.name, 'red bold')})")
+4423 return True
+ + +4426#
+4427# Context Panes
+4428#
+ +4430def register_external_context_pane(pane_name: str, display_pane_function: Callable[[], None], pane_title_function: Callable[[], Optional[str]], condition : Optional[Callable[[], bool]] = None) -> None:
+4431 """
+4432 Registering function for new GEF Context View.
+4433 pane_name: a string that has no spaces (used in settings)
+4434 display_pane_function: a function that uses gef_print() to print strings
+4435 pane_title_function: a function that returns a string or None, which will be displayed as the title.
+4436 If None, no title line is displayed.
+4437 condition: an optional callback: if not None, the callback will be executed first. If it returns true,
+4438 then only the pane title and content will displayed. Otherwise, it's simply skipped.
+ +4440 Example usage for a simple text to show when we hit a syscall:
+4441 def only_syscall(): return gef_current_instruction(gef.arch.pc).is_syscall()
+4442 def display_pane():
+4443 gef_print("Wow, I am a context pane!")
+4444 def pane_title():
+4445 return "example:pane"
+4446 register_external_context_pane("example_pane", display_pane, pane_title, only_syscall)
+4447 """
+4448 gef.gdb.add_context_pane(pane_name, display_pane_function, pane_title_function, condition)
+4449 return
+ + +4452#
+4453# Commands
+4454#
+4455@deprecated("Use `register()`, and inherit from `GenericCommand` instead")
+4456def register_external_command(cls: Type["GenericCommand"]) -> Type["GenericCommand"]:
+4457 """Registering function for new GEF (sub-)command to GDB."""
+4458 return cls
+ +4460@deprecated("Use `register()`, and inherit from `GenericCommand` instead")
+4461def register_command(cls: Type["GenericCommand"]) -> Type["GenericCommand"]:
+4462 """Decorator for registering new GEF (sub-)command to GDB."""
+4463 return cls
+ +4465@deprecated("")
+4466def register_priority_command(cls: Type["GenericCommand"]) -> Type["GenericCommand"]:
+4467 """Decorator for registering new command with priority, meaning that it must
+4468 loaded before the other generic commands."""
+4469 return cls
+ + +4472def register(cls: Union[Type["GenericCommand"], Type["GenericFunction"]]) -> Union[Type["GenericCommand"], Type["GenericFunction"]]:
+4473 global __registered_commands__, __registered_functions__
+4474 if issubclass(cls, GenericCommand):
+4475 assert( hasattr(cls, "_cmdline_"))
+4476 assert( hasattr(cls, "do_invoke"))
+4477 assert( all(map(lambda x: x._cmdline_ != cls._cmdline_, __registered_commands__)))
+4478 __registered_commands__.add(cls)
+4479 return cls
+ +4481 if issubclass(cls, GenericFunction): 4481 ↛ 4488line 4481 didn't jump to line 4488, because the condition on line 4481 was never false
+4482 assert( hasattr(cls, "_function_"))
+4483 assert( hasattr(cls, "invoke"))
+4484 assert( all(map(lambda x: x._function_ != cls._function_, __registered_functions__)))
+4485 __registered_functions__.add(cls)
+4486 return cls
+ +4488 raise TypeError(f"`{cls.__class__}` is an illegal class for `register`")
+ + +4491class GenericCommand(gdb.Command):
+4492 """This is an abstract class for invoking commands, should not be instantiated."""
+ +4494 _cmdline_: str
+4495 _syntax_: str
+4496 _example_: Union[str, List[str]] = ""
+ +4498 def __init_subclass__(cls, **kwargs):
+4499 super().__init_subclass__(**kwargs)
+4500 attributes = ("_cmdline_", "_syntax_", )
+4501 if not all(map(lambda x: hasattr(cls, x), attributes)): 4501 ↛ 4502line 4501 didn't jump to line 4502, because the condition on line 4501 was never true
+4502 raise NotImplementedError
+ +4504 def __init__(self, *args: Any, **kwargs: Any) -> None:
+4505 self.pre_load()
+4506 syntax = Color.yellowify("\nSyntax: ") + self._syntax_
+4507 example = Color.yellowify("\nExamples: \n\t")
+4508 if isinstance(self._example_, list):
+4509 example += "\n\t".join(self._example_)
+4510 elif isinstance(self._example_, str): 4510 ↛ 4512line 4510 didn't jump to line 4512, because the condition on line 4510 was never false
+4511 example += self._example_
+4512 self.__doc__ = self.__doc__.replace(" "*4, "") + syntax + example
+4513 self.repeat = False
+4514 self.repeat_count = 0
+4515 self.__last_command = None
+4516 command_type = kwargs.setdefault("command", gdb.COMMAND_OBSCURE)
+4517 complete_type = kwargs.setdefault("complete", gdb.COMPLETE_NONE)
+4518 prefix = kwargs.setdefault("prefix", False)
+4519 super().__init__(self._cmdline_, command_type, complete_type, prefix)
+4520 self.post_load()
+4521 return
+ +4523 def invoke(self, args: str, from_tty: bool) -> None:
+4524 try:
+4525 argv = gdb.string_to_argv(args)
+4526 self.__set_repeat_count(argv, from_tty)
+4527 bufferize(self.do_invoke)(argv)
+4528 except Exception as e:
+4529 # Note: since we are intercepting cleaning exceptions here, commands preferably should avoid
+4530 # catching generic Exception, but rather specific ones. This is allows a much cleaner use.
+4531 if is_debug(): 4531 ↛ 4534line 4531 didn't jump to line 4534, because the condition on line 4531 was never false
+4532 show_last_exception()
+4533 else:
+4534 err(f"Command '{self._cmdline_}' failed to execute properly, reason: {e}")
+4535 return
+ +4537 def usage(self) -> None:
+4538 err(f"Syntax\n{self._syntax_}")
+4539 return
+ +4541 def do_invoke(self, argv: List[str]) -> None:
+4542 raise NotImplementedError
+ +4544 def pre_load(self) -> None:
+4545 return
+ +4547 def post_load(self) -> None:
+4548 return
+ +4550 def __get_setting_name(self, name: str) -> str:
+4551 clsname = self.__class__._cmdline_.replace(" ", "-")
+4552 return f"{clsname}.{name}"
+ +4554 def __iter__(self) -> Generator[str, None, None]:
+4555 for key in gef.config.keys():
+4556 if key.startswith(self._cmdline_):
+4557 yield key.replace(f"{self._cmdline_}.", "", 1)
+ +4559 @property
+4560 def settings(self) -> List[str]:
+4561 """Return the list of settings for this command."""
+4562 return list(iter(self))
+ +4564 @deprecated(f"Use `self[setting_name]` instead")
+4565 def get_setting(self, name: str) -> Any:
+4566 return self.__getitem__(name)
+ +4568 def __getitem__(self, name: str) -> Any:
+4569 key = self.__get_setting_name(name)
+4570 return gef.config[key]
+ +4572 @deprecated(f"Use `setting_name in self` instead")
+4573 def has_setting(self, name: str) -> bool:
+4574 return self.__contains__(name)
+ +4576 def __contains__(self, name: str) -> bool:
+4577 return self.__get_setting_name(name) in gef.config
+ +4579 @deprecated(f"Use `self[setting_name] = value` instead")
+4580 def add_setting(self, name: str, value: Tuple[Any, type, str], description: str = "") -> None:
+4581 return self.__setitem__(name, (value, type(value), description))
+ +4583 def __setitem__(self, name: str, value: Union[Any, Tuple[Any, str]]) -> None:
+4584 # make sure settings are always associated to the root command (which derives from GenericCommand)
+4585 if "GenericCommand" not in [x.__name__ for x in self.__class__.__bases__]:
+4586 return
+4587 key = self.__get_setting_name(name)
+4588 if key in gef.config:
+4589 setting = gef.config.raw_entry(key)
+4590 setting.value = value
+4591 else:
+4592 if len(value) == 1: 4592 ↛ 4593line 4592 didn't jump to line 4593, because the condition on line 4592 was never true
+4593 gef.config[key] = GefSetting(value[0])
+4594 elif len(value) == 2: 4594 ↛ 4596line 4594 didn't jump to line 4596, because the condition on line 4594 was never false
+4595 gef.config[key] = GefSetting(value[0], description=value[1])
+4596 return
+ +4598 @deprecated(f"Use `del self[setting_name]` instead")
+4599 def del_setting(self, name: str) -> None:
+4600 return self.__delitem__(name)
+ +4602 def __delitem__(self, name: str) -> None:
+4603 del gef.config[self.__get_setting_name(name)]
+4604 return
+ +4606 def __set_repeat_count(self, argv: List[str], from_tty: bool) -> None:
+4607 if not from_tty:
+4608 self.repeat = False
+4609 self.repeat_count = 0
+4610 return
+ +4612 command = gdb.execute("show commands", to_string=True).strip().split("\n")[-1]
+4613 self.repeat = self.__last_command == command
+4614 self.repeat_count = self.repeat_count + 1 if self.repeat else 0
+4615 self.__last_command = command
+4616 return
+ + +4619@register
+4620class VersionCommand(GenericCommand):
+4621 """Display GEF version info."""
+ +4623 _cmdline_ = "version"
+4624 _syntax_ = f"{_cmdline_}"
+4625 _example_ = f"{_cmdline_}"
+ +4627 def do_invoke(self, argv: List[str]) -> None:
+4628 gef_fpath = pathlib.Path(inspect.stack()[0][1]).expanduser().absolute()
+4629 gef_dir = gef_fpath.parent
+4630 with gef_fpath.open("rb") as f:
+4631 gef_hash = hashlib.sha256(f.read()).hexdigest()
+ +4633 if os.access(f"{gef_dir}/.git", os.X_OK): 4633 ↛ 4638line 4633 didn't jump to line 4638, because the condition on line 4633 was never false
+4634 ver = subprocess.check_output("git log --format='%H' -n 1 HEAD", cwd=gef_dir, shell=True).decode("utf8").strip()
+4635 extra = "dirty" if len(subprocess.check_output("git ls-files -m", cwd=gef_dir, shell=True).decode("utf8").strip()) else "clean"
+4636 gef_print(f"GEF: rev:{ver} (Git - {extra})")
+4637 else:
+4638 gef_blob_hash = subprocess.check_output(f"git hash-object {gef_fpath}", shell=True).decode().strip()
+4639 gef_print("GEF: (Standalone)")
+4640 gef_print(f"Blob Hash({gef_fpath}): {gef_blob_hash}")
+4641 gef_print(f"SHA256({gef_fpath}): {gef_hash}")
+4642 gef_print(f"GDB: {gdb.VERSION}")
+4643 py_ver = f"{sys.version_info.major:d}.{sys.version_info.minor:d}"
+4644 gef_print(f"GDB-Python: {py_ver}")
+ +4646 if "full" in argv:
+4647 gef_print(f"Loaded commands: {', '.join(gef.gdb.loaded_command_names)}")
+4648 return
+ + +4651@register
+4652class PrintFormatCommand(GenericCommand):
+4653 """Print bytes format in commonly used formats, such as literals in high level languages."""
+ +4655 valid_formats = ("py", "c", "js", "asm", "hex", "bytearray")
+4656 valid_bitness = (8, 16, 32, 64)
+ +4658 _cmdline_ = "print-format"
+4659 _aliases_ = ["pf",]
+4660 _syntax_ = (f"{_cmdline_} [--lang LANG] [--bitlen SIZE] [(--length,-l) LENGTH] [--clip] LOCATION"
+4661 f"\t--lang LANG specifies the output format for programming language (available: {valid_formats!s}, default 'py')."
+4662 f"\t--bitlen SIZE specifies size of bit (possible values: {valid_bitness!s}, default is 8)."
+4663 "\t--length LENGTH specifies length of array (default is 256)."
+4664 "\t--clip The output data will be copied to clipboard"
+4665 "\tLOCATION specifies where the address of bytes is stored.")
+4666 _example_ = f"{_cmdline_} --lang py -l 16 $rsp"
+ +4668 def __init__(self) -> None:
+4669 super().__init__(complete=gdb.COMPLETE_LOCATION)
+4670 self["max_size_preview"] = (10, "max size preview of bytes")
+4671 return
+ +4673 @property
+4674 def format_matrix(self) -> Dict[int, Tuple[str, str, str]]:
+4675 # `gef.arch.endianness` is a runtime property, should not be defined as a class property
+4676 return {
+4677 8: (f"{gef.arch.endianness}B", "char", "db"),
+4678 16: (f"{gef.arch.endianness}H", "short", "dw"),
+4679 32: (f"{gef.arch.endianness}I", "int", "dd"),
+4680 64: (f"{gef.arch.endianness}Q", "long long", "dq"),
+4681 }
+ +4683 @only_if_gdb_running
+4684 @parse_arguments({"location": "$pc", }, {("--length", "-l"): 256, "--bitlen": 0, "--lang": "py", "--clip": True,})
+4685 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+4686 """Default value for print-format command."""
+4687 args: argparse.Namespace = kwargs["arguments"]
+4688 args.bitlen = args.bitlen or gef.arch.ptrsize * 2
+ +4690 valid_bitlens = self.format_matrix.keys()
+4691 if args.bitlen not in valid_bitlens: 4691 ↛ 4692line 4691 didn't jump to line 4692, because the condition on line 4691 was never true
+4692 err(f"Size of bit must be in: {valid_bitlens!s}")
+4693 return
+ +4695 if args.lang not in self.valid_formats:
+4696 err(f"Language must be in: {self.valid_formats!s}")
+4697 return
+ +4699 start_addr = parse_address(args.location)
+4700 size = int(args.bitlen / 8)
+4701 end_addr = start_addr + args.length * size
+4702 fmt = self.format_matrix[args.bitlen][0]
+4703 data = []
+ +4705 if args.lang != "bytearray":
+4706 for addr in range(start_addr, end_addr, size):
+4707 value = struct.unpack(fmt, gef.memory.read(addr, size))[0]
+4708 data += [value]
+4709 sdata = ", ".join(map(hex, data))
+4710 else:
+4711 sdata = ""
+ +4713 if args.lang == "bytearray":
+4714 data = gef.memory.read(start_addr, args.length)
+4715 preview = str(data[0:self["max_size_preview"]])
+4716 out = f"Saved data {preview}... in '{gef_convenience(data)}'"
+4717 elif args.lang == "py":
+4718 out = f"buf = [{sdata}]"
+4719 elif args.lang == "c": 4719 ↛ 4720line 4719 didn't jump to line 4720, because the condition on line 4719 was never true
+4720 c_type = self.format_matrix[args.bitlen][1]
+4721 out = f"unsigned {c_type} buf[{args.length}] = {{{sdata}}};"
+4722 elif args.lang == "js":
+4723 out = f"var buf = [{sdata}]"
+4724 elif args.lang == "asm": 4724 ↛ 4725line 4724 didn't jump to line 4725, because the condition on line 4724 was never true
+4725 asm_type = self.format_matrix[args.bitlen][2]
+4726 out = "buf {0} {1}".format(asm_type, sdata)
+4727 elif args.lang == "hex": 4727 ↛ 4730line 4727 didn't jump to line 4730, because the condition on line 4727 was never false
+4728 out = binascii.hexlify(gef.memory.read(start_addr, end_addr-start_addr)).decode()
+4729 else:
+4730 raise ValueError(f"Invalid format: {args.lang}")
+ +4732 if args.clip: 4732 ↛ 4733line 4732 didn't jump to line 4733, because the condition on line 4732 was never true
+4733 if copy_to_clipboard(gef_pybytes(out)):
+4734 info("Copied to clipboard")
+4735 else:
+4736 warn("There's a problem while copying")
+ +4738 gef_print(out)
+4739 return
+ + +4742@register
+4743class PieCommand(GenericCommand):
+4744 """PIE breakpoint support."""
+ +4746 _cmdline_ = "pie"
+4747 _syntax_ = f"{_cmdline_} (breakpoint|info|delete|run|attach|remote)"
+ +4749 def __init__(self) -> None:
+4750 super().__init__(prefix=True)
+4751 return
+ +4753 def do_invoke(self, argv: List[str]) -> None:
+4754 if not argv: 4754 ↛ 4756line 4754 didn't jump to line 4756, because the condition on line 4754 was never false
+4755 self.usage()
+4756 return
+ + +4759@register
+4760class PieBreakpointCommand(GenericCommand):
+4761 """Set a PIE breakpoint at an offset from the target binaries base address."""
+ +4763 _cmdline_ = "pie breakpoint"
+4764 _syntax_ = f"{_cmdline_} OFFSET"
+ +4766 @parse_arguments({"offset": ""}, {})
+4767 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+4768 args : argparse.Namespace = kwargs["arguments"]
+4769 if not args.offset: 4769 ↛ 4770line 4769 didn't jump to line 4770, because the condition on line 4769 was never true
+4770 self.usage()
+4771 return
+ +4773 addr = parse_address(args.offset)
+4774 self.set_pie_breakpoint(lambda base: f"b *{base + addr}", addr)
+ +4776 # When the process is already on, set real breakpoints immediately
+4777 if is_alive(): 4777 ↛ 4778line 4777 didn't jump to line 4778, because the condition on line 4777 was never true
+4778 vmmap = gef.memory.maps
+4779 base_address = [x.page_start for x in vmmap if x.path == get_filepath()][0]
+4780 for bp_ins in gef.session.pie_breakpoints.values():
+4781 bp_ins.instantiate(base_address)
+4782 return
+ +4784 @staticmethod
+4785 def set_pie_breakpoint(set_func: Callable[[int], str], addr: int) -> None:
+4786 gef.session.pie_breakpoints[gef.session.pie_counter] = PieVirtualBreakpoint(set_func, gef.session.pie_counter, addr)
+4787 gef.session.pie_counter += 1
+4788 return
+ + +4791@register
+4792class PieInfoCommand(GenericCommand):
+4793 """Display breakpoint info."""
+ +4795 _cmdline_ = "pie info"
+4796 _syntax_ = f"{_cmdline_} BREAKPOINT"
+ +4798 @parse_arguments({"breakpoints": [-1,]}, {})
+4799 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+4800 args : argparse.Namespace = kwargs["arguments"]
+4801 if args.breakpoints[0] == -1:
+4802 # No breakpoint info needed
+4803 bps = gef.session.pie_breakpoints.values()
+4804 else:
+4805 bps = [gef.session.pie_breakpoints[x]
+4806 for x in args.breakpoints
+4807 if x in gef.session.pie_breakpoints]
+ +4809 lines = ["{:6s} {:6s} {:18s}".format("VNum","Num","Addr")]
+4810 lines += [
+4811 f"{x.vbp_num:6d} {str(x.bp_num) if x.bp_num else 'N/A':6s} {x.addr:18s}" for x in bps
+4812 ]
+4813 gef_print("\n".join(lines))
+4814 return
+ + +4817@register
+4818class PieDeleteCommand(GenericCommand):
+4819 """Delete a PIE breakpoint."""
+ +4821 _cmdline_ = "pie delete"
+4822 _syntax_ = f"{_cmdline_} [BREAKPOINT]"
+ +4824 @parse_arguments({"breakpoints": [-1,]}, {})
+4825 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+4826 global gef
+4827 args : argparse.Namespace = kwargs["arguments"]
+4828 if args.breakpoints[0] == -1: 4828 ↛ 4830line 4828 didn't jump to line 4830, because the condition on line 4828 was never true
+4829 # no arg, delete all
+4830 to_delete = list(gef.session.pie_breakpoints.values())
+4831 self.delete_bp(to_delete)
+4832 else:
+4833 self.delete_bp([gef.session.pie_breakpoints[x]
+4834 for x in args.breakpoints
+4835 if x in gef.session.pie_breakpoints])
+4836 return
+ + +4839 @staticmethod
+4840 def delete_bp(breakpoints: List[PieVirtualBreakpoint]) -> None:
+4841 global gef
+4842 for bp in breakpoints:
+4843 # delete current real breakpoints if exists
+4844 if bp.bp_num: 4844 ↛ 4845line 4844 didn't jump to line 4845, because the condition on line 4844 was never true
+4845 gdb.execute(f"delete {bp.bp_num}")
+4846 # delete virtual breakpoints
+4847 del gef.session.pie_breakpoints[bp.vbp_num]
+4848 return
+ + +4851@register
+4852class PieRunCommand(GenericCommand):
+4853 """Run process with PIE breakpoint support."""
+ +4855 _cmdline_ = "pie run"
+4856 _syntax_ = _cmdline_
+ +4858 def do_invoke(self, argv: List[str]) -> None:
+4859 global gef
+4860 fpath = get_filepath()
+4861 if not fpath: 4861 ↛ 4862line 4861 didn't jump to line 4862, because the condition on line 4861 was never true
+4862 warn("No executable to debug, use `file` to load a binary")
+4863 return
+ +4865 if not os.access(fpath, os.X_OK): 4865 ↛ 4866line 4865 didn't jump to line 4866, because the condition on line 4865 was never true
+4866 warn(f"The file '{fpath}' is not executable.")
+4867 return
+ +4869 if is_alive(): 4869 ↛ 4870line 4869 didn't jump to line 4870, because the condition on line 4869 was never true
+4870 warn("gdb is already running. Restart process.")
+ +4872 # get base address
+4873 gdb.execute("set stop-on-solib-events 1")
+4874 hide_context()
+4875 gdb.execute(f"run {' '.join(argv)}")
+4876 unhide_context()
+4877 gdb.execute("set stop-on-solib-events 0")
+4878 vmmap = gef.memory.maps
+4879 base_address = [x.page_start for x in vmmap if x.path == get_filepath()][0]
+4880 info(f"base address {hex(base_address)}")
+ +4882 # modify all breakpoints
+4883 for bp_ins in gef.session.pie_breakpoints.values():
+4884 bp_ins.instantiate(base_address)
+ +4886 try:
+4887 gdb.execute("continue")
+4888 except gdb.error as e:
+4889 err(e)
+4890 gdb.execute("kill")
+4891 return
+ + +4894@register
+4895class PieAttachCommand(GenericCommand):
+4896 """Do attach with PIE breakpoint support."""
+ +4898 _cmdline_ = "pie attach"
+4899 _syntax_ = f"{_cmdline_} PID"
+ +4901 def do_invoke(self, argv: List[str]) -> None:
+4902 try:
+4903 gdb.execute(f"attach {' '.join(argv)}", to_string=True)
+4904 except gdb.error as e:
+4905 err(e)
+4906 return
+4907 # after attach, we are stopped so that we can
+4908 # get base address to modify our breakpoint
+4909 vmmap = gef.memory.maps
+4910 base_address = [x.page_start for x in vmmap if x.path == get_filepath()][0]
+ +4912 for bp_ins in gef.session.pie_breakpoints.values():
+4913 bp_ins.instantiate(base_address)
+4914 gdb.execute("context")
+4915 return
+ + +4918@register
+4919class PieRemoteCommand(GenericCommand):
+4920 """Attach to a remote connection with PIE breakpoint support."""
+ +4922 _cmdline_ = "pie remote"
+4923 _syntax_ = f"{_cmdline_} REMOTE"
+ +4925 def do_invoke(self, argv: List[str]) -> None:
+4926 try:
+4927 gdb.execute(f"gef-remote {' '.join(argv)}")
+4928 except gdb.error as e:
+4929 err(e)
+4930 return
+4931 # after remote attach, we are stopped so that we can
+4932 # get base address to modify our breakpoint
+4933 vmmap = gef.memory.maps
+4934 base_address = [x.page_start for x in vmmap if x.realpath == get_filepath()][0]
+ +4936 for bp_ins in gef.session.pie_breakpoints.values():
+4937 bp_ins.instantiate(base_address)
+4938 gdb.execute("context")
+4939 return
+ + +4942@register
+4943class SmartEvalCommand(GenericCommand):
+4944 """SmartEval: Smart eval (vague approach to mimic WinDBG `?`)."""
+ +4946 _cmdline_ = "$"
+4947 _syntax_ = f"{_cmdline_} EXPR\n{_cmdline_} ADDRESS1 ADDRESS2"
+4948 _example_ = (f"\n{_cmdline_} $pc+1"
+4949 f"\n{_cmdline_} 0x00007ffff7a10000 0x00007ffff7bce000")
+ +4951 def do_invoke(self, argv: List[str]) -> None:
+4952 argc = len(argv)
+4953 if argc == 1:
+4954 self.evaluate(argv)
+4955 return
+ +4957 if argc == 2: 4957 ↛ 4959line 4957 didn't jump to line 4959, because the condition on line 4957 was never false
+4958 self.distance(argv)
+4959 return
+ +4961 def evaluate(self, expr: List[str]) -> None:
+4962 def show_as_int(i: int) -> None:
+4963 off = gef.arch.ptrsize*8
+4964 def comp2_x(x: Any) -> str: return f"{(x + (1 << off)) % (1 << off):x}"
+4965 def comp2_b(x: Any) -> str: return f"{(x + (1 << off)) % (1 << off):b}"
+ +4967 try:
+4968 s_i = comp2_x(res)
+4969 s_i = s_i.rjust(len(s_i)+1, "0") if len(s_i)%2 else s_i
+4970 gef_print(f"{i:d}")
+4971 gef_print("0x" + comp2_x(res))
+4972 gef_print("0b" + comp2_b(res))
+4973 gef_print(f"{binascii.unhexlify(s_i)}")
+4974 gef_print(f"{binascii.unhexlify(s_i)[::-1]}")
+4975 except:
+4976 pass
+4977 return
+ +4979 parsed_expr = []
+4980 for xp in expr:
+4981 try:
+4982 xp = gdb.parse_and_eval(xp)
+4983 xp = int(xp)
+4984 parsed_expr.append(f"{xp:d}")
+4985 except gdb.error:
+4986 parsed_expr.append(str(xp))
+ +4988 try:
+4989 res = eval(" ".join(parsed_expr))
+4990 if isinstance(res, int): 4990 ↛ 4993line 4990 didn't jump to line 4993, because the condition on line 4990 was never false
+4991 show_as_int(res)
+4992 else:
+4993 gef_print(f"{res}")
+4994 except SyntaxError:
+4995 gef_print(" ".join(parsed_expr))
+4996 return
+ +4998 def distance(self, args: Tuple[str, str]) -> None:
+4999 try:
+5000 x = int(args[0], 16) if is_hex(args[0]) else int(args[0])
+5001 y = int(args[1], 16) if is_hex(args[1]) else int(args[1])
+5002 gef_print(f"{abs(x - y)}")
+5003 except ValueError:
+5004 warn(f"Distance requires 2 numbers: {self._cmdline_} 0 0xffff")
+5005 return
+ + +5008@register
+5009class CanaryCommand(GenericCommand):
+5010 """Shows the canary value of the current process."""
+ +5012 _cmdline_ = "canary"
+5013 _syntax_ = _cmdline_
+ +5015 @only_if_gdb_running
+5016 def do_invoke(self, argv: List[str]) -> None:
+5017 self.dont_repeat()
+ +5019 has_canary = Elf(get_filepath()).checksec["Canary"]
+5020 if not has_canary: 5020 ↛ 5021line 5020 didn't jump to line 5021, because the condition on line 5020 was never true
+5021 warn("This binary was not compiled with SSP.")
+5022 return
+ +5024 res = gef.session.canary
+5025 if not res: 5025 ↛ 5026line 5025 didn't jump to line 5026, because the condition on line 5025 was never true
+5026 err("Failed to get the canary")
+5027 return
+ +5029 canary, location = res
+5030 info(f"The canary of process {gef.session.pid} is at {location:#x}, value is {canary:#x}")
+5031 return
+ + +5034@register
+5035class ProcessStatusCommand(GenericCommand):
+5036 """Extends the info given by GDB `info proc`, by giving an exhaustive description of the
+5037 process status (file descriptors, ancestor, descendants, etc.)."""
+ +5039 _cmdline_ = "process-status"
+5040 _syntax_ = _cmdline_
+5041 _aliases_ = ["status", ]
+ +5043 def __init__(self) -> None:
+5044 super().__init__(complete=gdb.COMPLETE_NONE)
+5045 return
+ +5047 @only_if_gdb_running
+5048 @only_if_gdb_target_local
+5049 def do_invoke(self, argv: List[str]) -> None:
+5050 self.show_info_proc()
+5051 self.show_ancestor()
+5052 self.show_descendants()
+5053 self.show_fds()
+5054 self.show_connections()
+5055 return
+ +5057 def get_state_of(self, pid: int) -> Dict[str, str]:
+5058 res = {}
+5059 with open(f"/proc/{pid}/status", "r") as f:
+5060 file = f.readlines()
+5061 for line in file:
+5062 key, value = line.split(":", 1)
+5063 res[key.strip()] = value.strip()
+5064 return res
+ +5066 def get_cmdline_of(self, pid: int) -> str:
+5067 with open(f"/proc/{pid}/cmdline", "r") as f:
+5068 return f.read().replace("\x00", "\x20").strip()
+ +5070 def get_process_path_of(self, pid: int) -> str:
+5071 return os.readlink(f"/proc/{pid}/exe")
+ +5073 def get_children_pids(self, pid: int) -> List[int]:
+5074 cmd = [gef.session.constants["ps"], "-o", "pid", "--ppid", f"{pid}", "--noheaders"]
+5075 try:
+5076 return [int(x) for x in gef_execute_external(cmd, as_list=True)] 5076 ↛ exit, 5076 ↛ exit2 missed branches: 1) line 5076 didn't run the list comprehension on line 5076, 2) line 5076 didn't return from function 'get_children_pids', because the return on line 5076 wasn't executed
+5077 except Exception:
+5078 return []
+ +5080 def show_info_proc(self) -> None:
+5081 info("Process Information")
+5082 pid = gef.session.pid
+5083 cmdline = self.get_cmdline_of(pid)
+5084 gef_print(f"\tPID {RIGHT_ARROW} {pid}",
+5085 f"\tExecutable {RIGHT_ARROW} {self.get_process_path_of(pid)}",
+5086 f"\tCommand line {RIGHT_ARROW} '{cmdline}'", sep="\n")
+5087 return
+ +5089 def show_ancestor(self) -> None:
+5090 info("Parent Process Information")
+5091 ppid = int(self.get_state_of(gef.session.pid)["PPid"])
+5092 state = self.get_state_of(ppid)
+5093 cmdline = self.get_cmdline_of(ppid)
+5094 gef_print(f"\tParent PID {RIGHT_ARROW} {state['Pid']}",
+5095 f"\tCommand line {RIGHT_ARROW} '{cmdline}'", sep="\n")
+5096 return
+ +5098 def show_descendants(self) -> None:
+5099 info("Children Process Information")
+5100 children = self.get_children_pids(gef.session.pid)
+5101 if not children: 5101 ↛ 5105line 5101 didn't jump to line 5105, because the condition on line 5101 was never false
+5102 gef_print("\tNo child process")
+5103 return
+ +5105 for child_pid in children:
+5106 state = self.get_state_of(child_pid)
+5107 pid = state["Pid"]
+5108 gef_print(f"\tPID {RIGHT_ARROW} {pid} (Name: '{self.get_process_path_of(pid)}', CmdLine: '{self.get_cmdline_of(pid)}')")
+5109 return
+ +5111 def show_fds(self) -> None:
+5112 pid = gef.session.pid
+5113 path = f"/proc/{pid:d}/fd"
+ +5115 info("File Descriptors:")
+5116 items = os.listdir(path)
+5117 if not items: 5117 ↛ 5118line 5117 didn't jump to line 5118, because the condition on line 5117 was never true
+5118 gef_print("\tNo FD opened")
+5119 return
+ +5121 for fname in items:
+5122 fullpath = os.path.join(path, fname)
+5123 if os.path.islink(fullpath): 5123 ↛ 5121line 5123 didn't jump to line 5121, because the condition on line 5123 was never false
+5124 gef_print(f"\t{fullpath} {RIGHT_ARROW} {os.readlink(fullpath)}")
+5125 return
+ +5127 def list_sockets(self, pid: int) -> List[int]:
+5128 sockets = []
+5129 path = f"/proc/{pid:d}/fd"
+5130 items = os.listdir(path)
+5131 for fname in items:
+5132 fullpath = os.path.join(path, fname)
+5133 if os.path.islink(fullpath) and os.readlink(fullpath).startswith("socket:"): 5133 ↛ 5134line 5133 didn't jump to line 5134, because the condition on line 5133 was never true
+5134 p = os.readlink(fullpath).replace("socket:", "")[1:-1]
+5135 sockets.append(int(p))
+5136 return sockets
+ +5138 def parse_ip_port(self, addr: str) -> Tuple[str, int]:
+5139 ip, port = addr.split(":")
+5140 return socket.inet_ntoa(struct.pack("<I", int(ip, 16))), int(port, 16)
+ +5142 def show_connections(self) -> None:
+5143 # https://github.com/torvalds/linux/blob/v4.7/include/net/tcp_states.h#L16
+5144 tcp_states_str = {
+5145 0x01: "TCP_ESTABLISHED",
+5146 0x02: "TCP_SYN_SENT",
+5147 0x03: "TCP_SYN_RECV",
+5148 0x04: "TCP_FIN_WAIT1",
+5149 0x05: "TCP_FIN_WAIT2",
+5150 0x06: "TCP_TIME_WAIT",
+5151 0x07: "TCP_CLOSE",
+5152 0x08: "TCP_CLOSE_WAIT",
+5153 0x09: "TCP_LAST_ACK",
+5154 0x0A: "TCP_LISTEN",
+5155 0x0B: "TCP_CLOSING",
+5156 0x0C: "TCP_NEW_SYN_RECV",
+5157 }
+ +5159 udp_states_str = {
+5160 0x07: "UDP_LISTEN",
+5161 }
+ +5163 info("Network Connections")
+5164 pid = gef.session.pid
+5165 sockets = self.list_sockets(pid)
+5166 if not sockets: 5166 ↛ 5170line 5166 didn't jump to line 5170, because the condition on line 5166 was never false
+5167 gef_print("\tNo open connections")
+5168 return
+ +5170 entries = dict()
+5171 with open(f"/proc/{pid:d}/net/tcp", "r") as tcp:
+5172 entries["TCP"] = [x.split() for x in tcp.readlines()[1:]]
+5173 with open(f"/proc/{pid:d}/net/udp", "r") as udp:
+5174 entries["UDP"] = [x.split() for x in udp.readlines()[1:]]
+ +5176 for proto in entries:
+5177 for entry in entries[proto]:
+5178 local, remote, state = entry[1:4]
+5179 inode = int(entry[9])
+5180 if inode in sockets:
+5181 local = self.parse_ip_port(local)
+5182 remote = self.parse_ip_port(remote)
+5183 state = int(state, 16)
+5184 state_str = tcp_states_str[state] if proto == "TCP" else udp_states_str[state]
+ +5186 gef_print(f"\t{local[0]}:{local[1]} {RIGHT_ARROW} {remote[0]}:{remote[1]} ({state_str})")
+5187 return
+ + +5190@register
+5191class GefThemeCommand(GenericCommand):
+5192 """Customize GEF appearance."""
+ +5194 _cmdline_ = "theme"
+5195 _syntax_ = f"{_cmdline_} [KEY [VALUE]]"
+ +5197 def __init__(self) -> None:
+5198 super().__init__(self._cmdline_)
+5199 self["context_title_line"] = ("gray", "Color of the borders in context window")
+5200 self["context_title_message"] = ("cyan", "Color of the title in context window")
+5201 self["default_title_line"] = ("gray", "Default color of borders")
+5202 self["default_title_message"] = ("cyan", "Default color of title")
+5203 self["table_heading"] = ("blue", "Color of the column headings to tables (e.g. vmmap)")
+5204 self["old_context"] = ("gray", "Color to use to show things such as code that is not immediately relevant")
+5205 self["disassemble_current_instruction"] = ("green", "Color to use to highlight the current $pc when disassembling")
+5206 self["dereference_string"] = ("yellow", "Color of dereferenced string")
+5207 self["dereference_code"] = ("gray", "Color of dereferenced code")
+5208 self["dereference_base_address"] = ("cyan", "Color of dereferenced address")
+5209 self["dereference_register_value"] = ("bold blue", "Color of dereferenced register")
+5210 self["registers_register_name"] = ("blue", "Color of the register name in the register window")
+5211 self["registers_value_changed"] = ("bold red", "Color of the changed register in the register window")
+5212 self["address_stack"] = ("pink", "Color to use when a stack address is found")
+5213 self["address_heap"] = ("green", "Color to use when a heap address is found")
+5214 self["address_code"] = ("red", "Color to use when a code address is found")
+5215 self["source_current_line"] = ("green", "Color to use for the current code line in the source window")
+5216 return
+ +5218 def do_invoke(self, args: List[str]) -> None:
+5219 self.dont_repeat()
+5220 argc = len(args)
+ +5222 if argc == 0:
+5223 for key in self.settings:
+5224 setting = self[key]
+5225 value = Color.colorify(setting, setting)
+5226 gef_print(f"{key:40s}: {value}")
+5227 return
+ +5229 setting_name = args[0]
+5230 if not setting_name in self:
+5231 err("Invalid key")
+5232 return
+ +5234 if argc == 1:
+5235 value = self[setting_name]
+5236 gef_print(f"{setting_name:40s}: {Color.colorify(value, value)}")
+5237 return
+ +5239 colors = [color for color in args[1:] if color in Color.colors]
+5240 self[setting_name] = " ".join(colors)
+5241 return
+ + +5244class ExternalStructureManager:
+5245 class Structure:
+5246 def __init__(self, manager: "ExternalStructureManager", mod_path: pathlib.Path, struct_name: str) -> None:
+5247 self.manager = manager
+5248 self.module_path = mod_path
+5249 self.name = struct_name
+5250 self.class_type = self.__get_structure_class()
+5251 # if the symbol points to a class factory method and not a class
+5252 if not hasattr(self.class_type, "_fields_") and callable(self.class_type): 5252 ↛ 5253line 5252 didn't jump to line 5253, because the condition on line 5252 was never true
+5253 self.class_type = self.class_type(gef)
+5254 return
+ +5256 def __str__(self) -> str:
+5257 return self.name
+ +5259 def pprint(self) -> None:
+5260 res = []
+5261 for _name, _type in self.class_type._fields_:
+5262 size = ctypes.sizeof(_type)
+5263 name = Color.colorify(_name, gef.config["pcustom.structure_name"])
+5264 type = Color.colorify(_type.__name__, gef.config["pcustom.structure_type"])
+5265 size = Color.colorify(hex(size), gef.config["pcustom.structure_size"])
+5266 offset = Color.boldify(f"{getattr(self.class_type, _name).offset:04x}")
+5267 res.append(f"{offset} {name:32s} {type:16s} /* size={size} */")
+5268 gef_print("\n".join(res))
+5269 return
+ +5271 def __get_structure_class(self) -> Type:
+5272 """Returns a tuple of (class, instance) if modname!classname exists"""
+5273 fpath = self.module_path
+5274 spec = importlib.util.spec_from_file_location(fpath.stem, fpath)
+5275 module = importlib.util.module_from_spec(spec)
+5276 sys.modules[fpath.stem] = module
+5277 spec.loader.exec_module(module)
+5278 _class = getattr(module, self.name)
+5279 return _class
+ +5281 def apply_at(self, address: int, max_depth: int, depth: int = 0) -> None:
+5282 """Apply (recursively if possible) the structure format to the given address."""
+5283 if depth >= max_depth: 5283 ↛ 5284line 5283 didn't jump to line 5284, because the condition on line 5283 was never true
+5284 warn("maximum recursion level reached")
+5285 return
+ +5287 # read the data at the specified address
+5288 _structure = self.class_type()
+5289 _sizeof_structure = ctypes.sizeof(_structure)
+ +5291 try:
+5292 data = gef.memory.read(address, _sizeof_structure)
+5293 except gdb.MemoryError:
+5294 err(f"{' ' * depth}Cannot read memory {address:#x}")
+5295 return
+ +5297 # deserialize the data
+5298 length = min(len(data), _sizeof_structure)
+5299 ctypes.memmove(ctypes.addressof(_structure), data, length)
+ +5301 # pretty print all the fields (and call recursively if possible)
+5302 ptrsize = gef.arch.ptrsize
+5303 unpack = u32 if ptrsize == 4 else u64
+5304 for field in _structure._fields_:
+5305 _name, _type = field
+5306 _value = getattr(_structure, _name)
+5307 _offset = getattr(self.class_type, _name).offset
+ +5309 if ((ptrsize == 4 and _type is ctypes.c_uint32) 5309 ↛ 5313line 5309 didn't jump to line 5313, because the condition on line 5309 was never true
+5310 or (ptrsize == 8 and _type is ctypes.c_uint64)
+5311 or (ptrsize == ctypes.sizeof(ctypes.c_void_p) and _type is ctypes.c_void_p)):
+5312 # try to dereference pointers
+5313 _value = RIGHT_ARROW.join(dereference_from(_value))
+ +5315 line = f"{' ' * depth}"
+5316 line += f"{address:#x}+{_offset:#04x} {_name} : ".ljust(40)
+5317 line += f"{_value} ({_type.__name__})"
+5318 parsed_value = self.__get_ctypes_value(_structure, _name, _value)
+5319 if parsed_value: 5319 ↛ 5320line 5319 didn't jump to line 5320, because the condition on line 5319 was never true
+5320 line += f"{RIGHT_ARROW} {parsed_value}"
+5321 gef_print(line)
+ +5323 if issubclass(_type, ctypes.Structure): 5323 ↛ 5324line 5323 didn't jump to line 5324, because the condition on line 5323 was never true
+5324 self.apply_at(address + _offset, max_depth, depth + 1)
+5325 elif _type.__name__.startswith("LP_"):
+5326 # Pointer to a structure of a different type
+5327 __sub_type_name = _type.__name__.lstrip("LP_")
+5328 result = self.manager.find(__sub_type_name)
+5329 if result: 5329 ↛ 5304line 5329 didn't jump to line 5304, because the condition on line 5329 was never false
+5330 _, __structure = result
+5331 __address = unpack(gef.memory.read(address + _offset, ptrsize))
+5332 __structure.apply_at(__address, max_depth, depth + 1)
+5333 return
+ +5335 def __get_ctypes_value(self, struct, item, value) -> str:
+5336 if not hasattr(struct, "_values_"): return "" 5336 ↛ 5337line 5336 didn't jump to line 5337, because the condition on line 5336 was never false
+5337 default = ""
+5338 for name, values in struct._values_:
+5339 if name != item: continue
+5340 if callable(values):
+5341 return values(value)
+5342 try:
+5343 for val, desc in values:
+5344 if value == val: return desc
+5345 if val is None: default = desc
+5346 except Exception as e:
+5347 err(f"Error parsing '{name}': {e}")
+5348 return default
+ +5350 class Module(dict):
+5351 def __init__(self, manager: "ExternalStructureManager", path: pathlib.Path) -> None:
+5352 self.manager = manager
+5353 self.path = path
+5354 self.name = path.stem
+5355 self.raw = self.__load()
+ +5357 for entry in self:
+5358 structure = ExternalStructureManager.Structure(manager, self.path, entry)
+5359 self[structure.name] = structure
+5360 return
+ +5362 def __load(self) -> ModuleType:
+5363 """Load a custom module, and return it."""
+5364 fpath = self.path
+5365 spec = importlib.util.spec_from_file_location(fpath.stem, fpath)
+5366 module = importlib.util.module_from_spec(spec)
+5367 sys.modules[fpath.stem] = module
+5368 spec.loader.exec_module(module)
+5369 return module
+ +5371 def __str__(self) -> str:
+5372 return self.name
+ +5374 def __iter__(self) -> Generator[str, None, None]:
+5375 _invalid = {"BigEndianStructure", "LittleEndianStructure", "Structure"}
+5376 for x in dir(self.raw):
+5377 if x in _invalid: continue
+5378 _attr = getattr(self.raw, x)
+ +5380 # if it's a ctypes.Structure class, add it
+5381 if inspect.isclass(_attr) and issubclass(_attr, ctypes.Structure):
+5382 yield x
+5383 continue
+ +5385 # also accept class factory functions
+5386 if callable(_attr) and _attr.__module__ == self.name and x.endswith("_t"): 5386 ↛ 5387line 5386 didn't jump to line 5387, because the condition on line 5386 was never true
+5387 yield x
+5388 continue
+5389 return
+ +5391 class Modules(dict):
+5392 def __init__(self, manager: "ExternalStructureManager") -> None:
+5393 self.manager: "ExternalStructureManager" = manager
+5394 self.root: pathlib.Path = manager.path
+ +5396 for entry in self.root.iterdir():
+5397 if not entry.is_file(): continue
+5398 if entry.suffix != ".py": continue 5398 ↛ 5396line 5398 didn't jump to line 5396, because the continue on line 5398 wasn't executed
+5399 if entry.name == "__init__.py": continue 5399 ↛ 5396line 5399 didn't jump to line 5396, because the continue on line 5399 wasn't executed
+5400 module = ExternalStructureManager.Module(manager, entry)
+5401 self[module.name] = module
+5402 return
+ +5404 def __contains__(self, structure_name: str) -> bool:
+5405 """Return True if the structure name is found in any of the modules"""
+5406 for module in self.values():
+5407 if structure_name in module:
+5408 return True
+5409 return False
+ +5411 def __init__(self) -> None:
+5412 self.clear_caches()
+5413 return
+ +5415 def clear_caches(self) -> None:
+5416 self._path = None
+5417 self._modules = None
+5418 return
+ +5420 @property
+5421 def modules(self) -> "ExternalStructureManager.Modules":
+5422 if not self._modules:
+5423 self._modules = ExternalStructureManager.Modules(self)
+5424 return self._modules
+ +5426 @property
+5427 def path(self) -> pathlib.Path:
+5428 if not self._path:
+5429 self._path = pathlib.Path(gef.config["pcustom.struct_path"]).expanduser().absolute()
+5430 return self._path
+ +5432 @property
+5433 def structures(self) -> Generator[Tuple["ExternalStructureManager.Module", "ExternalStructureManager.Structure"], None, None]:
+5434 for module in self.modules.values():
+5435 for structure in module.values():
+5436 yield module, structure
+5437 return
+ +5439 @lru_cache()
+5440 def find(self, structure_name: str) -> Optional[Tuple["ExternalStructureManager.Module", "ExternalStructureManager.Structure"]]:
+5441 """Return the module and structure for the given structure name; `None` if the structure name was not found."""
+5442 for module in self.modules.values():
+5443 if structure_name in module:
+5444 return module, module[structure_name]
+5445 return None
+ + +5448@register
+5449class PCustomCommand(GenericCommand):
+5450 """Dump user defined structure.
+5451 This command attempts to reproduce WinDBG awesome `dt` command for GDB and allows
+5452 to apply structures (from symbols or custom) directly to an address.
+5453 Custom structures can be defined in pure Python using ctypes, and should be stored
+5454 in a specific directory, whose path must be stored in the `pcustom.struct_path`
+5455 configuration setting."""
+ +5457 _cmdline_ = "pcustom"
+5458 _syntax_ = f"{_cmdline_} [list|edit <StructureName>|show <StructureName>]|<StructureName> 0xADDRESS]"
+ +5460 def __init__(self) -> None:
+5461 super().__init__(prefix=True)
+5462 self["struct_path"] = (str(pathlib.Path(gef.config["gef.tempdir"]) / "structs"), "Path to store/load the structure ctypes files")
+5463 self["max_depth"] = (4, "Maximum level of recursion supported")
+5464 self["structure_name"] = ("bold blue", "Color of the structure name")
+5465 self["structure_type"] = ("bold red", "Color of the attribute type")
+5466 self["structure_size"] = ("green", "Color of the attribute size")
+5467 return
+ +5469 @parse_arguments({"type": "", "address": ""}, {})
+5470 def do_invoke(self, *_: Any, **kwargs: Dict[str, Any]) -> None:
+5471 args : argparse.Namespace = kwargs["arguments"]
+5472 if not args.type:
+5473 gdb.execute("pcustom list")
+5474 return
+ +5476 _, structname = self.explode_type(args.type)
+ +5478 if not args.address:
+5479 gdb.execute(f"pcustom show {structname}")
+5480 return
+ +5482 if not is_alive():
+5483 err("Session is not active")
+5484 return
+ +5486 manager = ExternalStructureManager()
+5487 address = parse_address(args.address)
+5488 result = manager.find(structname)
+5489 if not result:
+5490 err(f"No structure named '{structname}' found")
+5491 return
+ +5493 _, structure = result
+5494 structure.apply_at(address, self["max_depth"])
+5495 return
+ +5497 def explode_type(self, arg: str) -> Tuple[str, str]:
+5498 modname, structname = arg.split(":", 1) if ":" in arg else (arg, arg)
+5499 structname = structname.split(".", 1)[0] if "." in structname else structname
+5500 return modname, structname
+ + +5503@register
+5504class PCustomListCommand(PCustomCommand):
+5505 """PCustom: list available structures"""
+ +5507 _cmdline_ = "pcustom list"
+5508 _syntax_ = f"{_cmdline_}"
+ +5510 def __init__(self) -> None:
+5511 super().__init__()
+5512 return
+ +5514 def do_invoke(self, _: List) -> None:
+5515 """Dump the list of all the structures and their respective."""
+5516 manager = ExternalStructureManager()
+5517 info(f"Listing custom structures from '{manager.path}'")
+5518 struct_color = gef.config["pcustom.structure_type"]
+5519 filename_color = gef.config["pcustom.structure_name"]
+5520 for module in manager.modules.values():
+5521 __modules = ", ".join([Color.colorify(structure_name, struct_color) for structure_name in module.values()])
+5522 __filename = Color.colorify(str(module.path), filename_color)
+5523 gef_print(f"{RIGHT_ARROW} {__filename} ({__modules})")
+5524 return
+ + +5527@register
+5528class PCustomShowCommand(PCustomCommand):
+5529 """PCustom: show the content of a given structure"""
+ +5531 _cmdline_ = "pcustom show"
+5532 _syntax_ = f"{_cmdline_} StructureName"
+5533 __aliases__ = ["pcustom create", "pcustom update"]
+ +5535 def __init__(self) -> None:
+5536 super().__init__()
+5537 return
+ +5539 def do_invoke(self, argv: List[str]) -> None:
+5540 if len(argv) == 0: 5540 ↛ 5541line 5540 didn't jump to line 5541, because the condition on line 5540 was never true
+5541 self.usage()
+5542 return
+ +5544 _, structname = self.explode_type(argv[0])
+5545 manager = ExternalStructureManager()
+5546 result = manager.find(structname)
+5547 if result:
+5548 _, structure = result
+5549 structure.pprint()
+5550 else:
+5551 err(f"No structure named '{structname}' found")
+5552 return
+ + +5555@register
+5556class PCustomEditCommand(PCustomCommand):
+5557 """PCustom: edit the content of a given structure"""
+ +5559 _cmdline_ = "pcustom edit"
+5560 _syntax_ = f"{_cmdline_} StructureName"
+5561 __aliases__ = ["pcustom create", "pcustom new", "pcustom update"]
+ +5563 def __init__(self) -> None:
+5564 super().__init__()
+5565 return
+ +5567 def do_invoke(self, argv: List[str]) -> None:
+5568 if len(argv) == 0:
+5569 self.usage()
+5570 return
+ +5572 modname, structname = self.explode_type(argv[0])
+5573 self.__create_or_edit_structure(modname, structname)
+5574 return
+ +5576 def __create_or_edit_structure(self, mod_name: str, struct_name: str) -> int:
+5577 path = pathlib.Path(gef.config["pcustom.struct_path"]).expanduser() / f"{mod_name}.py"
+5578 if path.is_file():
+5579 info(f"Editing '{path}'")
+5580 else:
+5581 ok(f"Creating '{path}' from template")
+5582 self.__create_template(struct_name, path)
+ +5584 cmd = (os.getenv("EDITOR") or "nano").split()
+5585 cmd.append(str(path.absolute()))
+5586 return subprocess.call(cmd)
+ +5588 def __create_template(self, structname: str, fpath: pathlib.Path) -> None:
+5589 template = f"""from ctypes import *
+ +5591class {structname}(Structure):
+5592 _fields_ = []
+ +5594 _values_ = []
+5595"""
+5596 with fpath.open("w") as f:
+5597 f.write(template)
+5598 return
+ + +5601@register
+5602class ChangeFdCommand(GenericCommand):
+5603 """ChangeFdCommand: redirect file descriptor during runtime."""
+ +5605 _cmdline_ = "hijack-fd"
+5606 _syntax_ = f"{_cmdline_} FD_NUM NEW_OUTPUT"
+5607 _example_ = f"{_cmdline_} 2 /tmp/stderr_output.txt"
+ +5609 @only_if_gdb_running
+5610 @only_if_gdb_target_local
+5611 def do_invoke(self, argv: List[str]) -> None:
+5612 if len(argv) != 2:
+5613 self.usage()
+5614 return
+ +5616 if not os.access(f"/proc/{gef.session.pid:d}/fd/{argv[0]}", os.R_OK):
+5617 self.usage()
+5618 return
+ +5620 old_fd = int(argv[0])
+5621 new_output = argv[1]
+ +5623 if ":" in new_output:
+5624 address = socket.gethostbyname(new_output.split(":")[0])
+5625 port = int(new_output.split(":")[1])
+ +5627 AF_INET = 2
+5628 SOCK_STREAM = 1
+5629 res = gdb.execute(f"""call (int)socket({AF_INET}, {SOCK_STREAM}, 0)""", to_string=True)
+5630 new_fd = self.get_fd_from_result(res)
+ +5632 # fill in memory with sockaddr_in struct contents
+5633 # we will do this in the stack, since connect() wants a pointer to a struct
+5634 vmmap = gef.memory.maps
+5635 stack_addr = [entry.page_start for entry in vmmap if entry.path == "[stack]"][0]
+5636 original_contents = gef.memory.read(stack_addr, 8)
+ +5638 gef.memory.write(stack_addr, b"\x02\x00", 2)
+5639 gef.memory.write(stack_addr + 0x2, struct.pack("<H", socket.htons(port)), 2)
+5640 gef.memory.write(stack_addr + 0x4, socket.inet_aton(address), 4)
+ +5642 info(f"Trying to connect to {new_output}")
+5643 res = gdb.execute(f"""call (int)connect({new_fd}, {stack_addr}, {16})""", to_string=True)
+ +5645 # recover stack state
+5646 gef.memory.write(stack_addr, original_contents, 8)
+ +5648 res = self.get_fd_from_result(res)
+5649 if res == -1:
+5650 err(f"Failed to connect to {address}:{port}")
+5651 return
+ +5653 info(f"Connected to {new_output}")
+5654 else:
+5655 res = gdb.execute(f"""call (int)open("{new_output}", 66, 0666)""", to_string=True)
+5656 new_fd = self.get_fd_from_result(res)
+ +5658 info(f"Opened '{new_output}' as fd #{new_fd:d}")
+5659 gdb.execute(f"""call (int)dup2({new_fd:d}, {old_fd:d})""", to_string=True)
+5660 info(f"Duplicated fd #{new_fd:d}{RIGHT_ARROW}#{old_fd:d}")
+5661 gdb.execute(f"""call (int)close({new_fd:d})""", to_string=True)
+5662 info(f"Closed extra fd #{new_fd:d}")
+5663 ok("Success")
+5664 return
+ +5666 def get_fd_from_result(self, res: str) -> int:
+5667 # Output example: $1 = 3
+5668 res = gdb.execute(f"""p/d {int(res.split()[2], 0)}""", to_string=True)
+5669 return int(res.split()[2], 0)
+ + +5672@register
+5673class ScanSectionCommand(GenericCommand):
+5674 """Search for addresses that are located in a memory mapping (haystack) that belonging
+5675 to another (needle)."""
+ +5677 _cmdline_ = "scan"
+5678 _syntax_ = f"{_cmdline_} HAYSTACK NEEDLE"
+5679 _aliases_ = ["lookup",]
+5680 _example_ = f"\n{_cmdline_} stack libc"
+ +5682 @only_if_gdb_running
+5683 def do_invoke(self, argv: List[str]) -> None:
+5684 if len(argv) != 2: 5684 ↛ 5685line 5684 didn't jump to line 5685, because the condition on line 5684 was never true
+5685 self.usage()
+5686 return
+ +5688 haystack = argv[0]
+5689 needle = argv[1]
+ +5691 info(f"Searching for addresses in '{Color.yellowify(haystack)}' "
+5692 f"that point to '{Color.yellowify(needle)}'")
+ +5694 if haystack == "binary":
+5695 haystack = get_filepath()
+ +5697 if needle == "binary": 5697 ↛ 5698line 5697 didn't jump to line 5698, because the condition on line 5697 was never true
+5698 needle = get_filepath()
+ +5700 needle_sections = []
+5701 haystack_sections = []
+ +5703 if "0x" in haystack: 5703 ↛ 5704line 5703 didn't jump to line 5704, because the condition on line 5703 was never true
+5704 start, end = parse_string_range(haystack)
+5705 haystack_sections.append((start, end, ""))
+ +5707 if "0x" in needle: 5707 ↛ 5708line 5707 didn't jump to line 5708, because the condition on line 5707 was never true
+5708 start, end = parse_string_range(needle)
+5709 needle_sections.append((start, end))
+ +5711 for sect in gef.memory.maps:
+5712 if haystack in sect.path:
+5713 haystack_sections.append((sect.page_start, sect.page_end, os.path.basename(sect.path)))
+5714 if needle in sect.path:
+5715 needle_sections.append((sect.page_start, sect.page_end))
+ +5717 step = gef.arch.ptrsize
+5718 unpack = u32 if step == 4 else u64
+ +5720 for hstart, hend, hname in haystack_sections:
+5721 try:
+5722 mem = gef.memory.read(hstart, hend - hstart)
+5723 except gdb.MemoryError:
+5724 continue
+ +5726 for i in range(0, len(mem), step):
+5727 target = unpack(mem[i:i+step])
+5728 for nstart, nend in needle_sections:
+5729 if target >= nstart and target < nend:
+5730 deref = DereferenceCommand.pprint_dereferenced(hstart, int(i / step))
+5731 if hname != "": 5731 ↛ 5735line 5731 didn't jump to line 5735, because the condition on line 5731 was never false
+5732 name = Color.colorify(hname, "yellow")
+5733 gef_print(f"{name}: {deref}")
+5734 else:
+5735 gef_print(f" {deref}")
+ +5737 return
+ + +5740@register
+5741class SearchPatternCommand(GenericCommand):
+5742 """SearchPatternCommand: search a pattern in memory. If given an hex value (starting with 0x)
+5743 the command will also try to look for upwards cross-references to this address."""
+ +5745 _cmdline_ = "search-pattern"
+5746 _syntax_ = f"{_cmdline_} PATTERN [little|big] [section]"
+5747 _aliases_ = ["grep", "xref"]
+5748 _example_ = [f"{_cmdline_} AAAAAAAA",
+5749 f"{_cmdline_} 0x555555554000 little stack",
+5750 f"{_cmdline_} AAAA 0x600000-0x601000",
+5751 f"{_cmdline_} --regex 0x401000 0x401500 ([\\\\x20-\\\\x7E]{{2,}})(?=\\\\x00) <-- It matchs null-end-printable(from x20-x7e) C strings (min size 2 bytes)"]
+ +5753 def __init__(self) -> None:
+5754 super().__init__()
+5755 self["max_size_preview"] = (10, "max size preview of bytes")
+5756 self["nr_pages_chunk"] = (0x400, "number of pages readed for each memory read chunk")
+5757 return
+ +5759 def print_section(self, section: Section) -> None:
+5760 title = "In "
+5761 if section.path: 5761 ↛ 5764line 5761 didn't jump to line 5764, because the condition on line 5761 was never false
+5762 title += f"'{Color.blueify(section.path)}'"
+ +5764 title += f"({section.page_start:#x}-{section.page_end:#x})"
+5765 title += f", permission={section.permission}"
+5766 ok(title)
+5767 return
+ +5769 def print_loc(self, loc: Tuple[int, int, str]) -> None:
+5770 gef_print(f""" {loc[0]:#x} - {loc[1]:#x} {RIGHT_ARROW} "{Color.pinkify(loc[2])}" """)
+5771 return
+ +5773 def search_pattern_by_address(self, pattern: str, start_address: int, end_address: int) -> List[Tuple[int, int, Optional[str]]]:
+5774 """Search a pattern within a range defined by arguments."""
+5775 _pattern = gef_pybytes(pattern)
+5776 step = self["nr_pages_chunk"] * gef.session.pagesize
+5777 locations = []
+ +5779 for chunk_addr in range(start_address, end_address, step):
+5780 if chunk_addr + step > end_address: 5780 ↛ 5783line 5780 didn't jump to line 5783, because the condition on line 5780 was never false
+5781 chunk_size = end_address - chunk_addr
+5782 else:
+5783 chunk_size = step
+ +5785 try:
+5786 mem = gef.memory.read(chunk_addr, chunk_size)
+5787 except gdb.MemoryError as e:
+5788 return []
+ +5790 for match in re.finditer(_pattern, mem):
+5791 start = chunk_addr + match.start()
+5792 if is_ascii_string(start):
+5793 ustr = gef.memory.read_ascii_string(start) or ""
+5794 end = start + len(ustr)
+5795 else:
+5796 ustr = gef_pystring(_pattern) + "[...]"
+5797 end = start + len(_pattern)
+5798 locations.append((start, end, ustr))
+ +5800 del mem
+ +5802 return locations
+ +5804 def search_binpattern_by_address(self, binpattern: bytes, start_address: int, end_address: int) -> List[Tuple[int, int, Optional[str]]]:
+5805 """Search a binary pattern within a range defined by arguments."""
+ +5807 step = self["nr_pages_chunk"] * gef.session.pagesize
+5808 locations = []
+ +5810 for chunk_addr in range(start_address, end_address, step):
+5811 if chunk_addr + step > end_address: 5811 ↛ 5814line 5811 didn't jump to line 5814, because the condition on line 5811 was never false
+5812 chunk_size = end_address - chunk_addr
+5813 else:
+5814 chunk_size = step
+ +5816 try:
+5817 mem = gef.memory.read(chunk_addr, chunk_size)
+5818 except gdb.MemoryError as e:
+5819 return []
+5820 preview_size = self["max_size_preview"]
+5821 for match in re.finditer(binpattern, mem):
+5822 start = chunk_addr + match.start()
+5823 preview = str(mem[slice(*match.span())][0:preview_size]) + "..."
+5824 size_match = match.span()[1] - match.span()[0]
+5825 if size_match > 0: 5825 ↛ 5827line 5825 didn't jump to line 5827, because the condition on line 5825 was never false
+5826 size_match -= 1
+5827 end = start + size_match
+ +5829 locations.append((start, end, preview))
+ +5831 del mem
+ +5833 return locations
+ +5835 def search_pattern(self, pattern: str, section_name: str) -> None:
+5836 """Search a pattern within the whole userland memory."""
+5837 for section in gef.memory.maps:
+5838 if not section.permission & Permission.READ: continue
+5839 if section.path == "[vvar]": continue
+5840 if not section_name in section.path: continue 5840 ↛ 5837line 5840 didn't jump to line 5837, because the continue on line 5840 wasn't executed
+ +5842 start = section.page_start
+5843 end = section.page_end - 1
+5844 old_section = None
+ +5846 for loc in self.search_pattern_by_address(pattern, start, end):
+5847 addr_loc_start = lookup_address(loc[0])
+5848 if addr_loc_start and addr_loc_start.section: 5848 ↛ 5853line 5848 didn't jump to line 5853, because the condition on line 5848 was never false
+5849 if old_section != addr_loc_start.section: 5849 ↛ 5853line 5849 didn't jump to line 5853, because the condition on line 5849 was never false
+5850 self.print_section(addr_loc_start.section)
+5851 old_section = addr_loc_start.section
+ +5853 self.print_loc(loc)
+5854 return
+ +5856 @only_if_gdb_running
+5857 def do_invoke(self, argv: List[str]) -> None:
+5858 argc = len(argv)
+5859 if argc < 1: 5859 ↛ 5860line 5859 didn't jump to line 5860, because the condition on line 5859 was never true
+5860 self.usage()
+5861 return
+ +5863 if argc > 3 and argv[0].startswith("--regex"):
+5864 pattern = ' '.join(argv[3:])
+5865 pattern = ast.literal_eval("b'" + pattern + "'")
+ +5867 addr_start = parse_address(argv[1])
+5868 addr_end = parse_address(argv[2])
+ +5870 for loc in self.search_binpattern_by_address(pattern, addr_start, addr_end):
+5871 self.print_loc(loc)
+ +5873 return
+ +5875 pattern = argv[0]
+5876 endian = gef.arch.endianness
+ +5878 if argc >= 2: 5878 ↛ 5879line 5878 didn't jump to line 5879, because the condition on line 5878 was never true
+5879 if argv[1].lower() == "big": endian = Endianness.BIG_ENDIAN
+5880 elif argv[1].lower() == "little": endian = Endianness.LITTLE_ENDIAN
+ +5882 if is_hex(pattern): 5882 ↛ 5883line 5882 didn't jump to line 5883, because the condition on line 5882 was never true
+5883 if endian == Endianness.BIG_ENDIAN:
+5884 pattern = "".join(["\\x" + pattern[i:i + 2] for i in range(2, len(pattern), 2)])
+5885 else:
+5886 pattern = "".join(["\\x" + pattern[i:i + 2] for i in range(len(pattern) - 2, 0, -2)])
+ +5888 if argc == 3: 5888 ↛ 5889line 5888 didn't jump to line 5889, because the condition on line 5888 was never true
+5889 info(f"Searching '{Color.yellowify(pattern)}' in {argv[2]}")
+ +5891 if "0x" in argv[2]:
+5892 start, end = parse_string_range(argv[2])
+ +5894 loc = lookup_address(start)
+5895 if loc.valid:
+5896 self.print_section(loc.section)
+ +5898 for loc in self.search_pattern_by_address(pattern, start, end):
+5899 self.print_loc(loc)
+5900 else:
+5901 section_name = argv[2]
+5902 if section_name == "binary":
+5903 section_name = get_filepath() or ""
+ +5905 self.search_pattern(pattern, section_name)
+5906 else:
+5907 info(f"Searching '{Color.yellowify(pattern)}' in memory")
+5908 self.search_pattern(pattern, "")
+5909 return
+ + +5912@register
+5913class FlagsCommand(GenericCommand):
+5914 """Edit flags in a human friendly way."""
+ +5916 _cmdline_ = "edit-flags"
+5917 _syntax_ = f"{_cmdline_} [(+|-|~)FLAGNAME ...]"
+5918 _aliases_ = ["flags",]
+5919 _example_ = (f"\n{_cmdline_}"
+5920 f"\n{_cmdline_} +zero # sets ZERO flag")
+ +5922 def do_invoke(self, argv: List[str]) -> None:
+5923 if not gef.arch.flag_register: 5923 ↛ 5924line 5923 didn't jump to line 5924, because the condition on line 5923 was never true
+5924 warn(f"The architecture {gef.arch.arch}:{gef.arch.mode} doesn't have flag register.")
+5925 return
+ +5927 for flag in argv:
+5928 if len(flag) < 2: 5928 ↛ 5929line 5928 didn't jump to line 5929, because the condition on line 5928 was never true
+5929 continue
+ +5931 action = flag[0]
+5932 name = flag[1:].lower()
+ +5934 if action not in ("+", "-", "~"): 5934 ↛ 5935line 5934 didn't jump to line 5935, because the condition on line 5934 was never true
+5935 err(f"Invalid action for flag '{flag}'")
+5936 continue
+ +5938 if name not in gef.arch.flags_table.values(): 5938 ↛ 5939line 5938 didn't jump to line 5939, because the condition on line 5938 was never true
+5939 err(f"Invalid flag name '{flag[1:]}'")
+5940 continue
+ +5942 for off in gef.arch.flags_table:
+5943 if gef.arch.flags_table[off] == name:
+5944 old_flag = gef.arch.register(gef.arch.flag_register)
+5945 if action == "+":
+5946 new_flags = old_flag | (1 << off)
+5947 elif action == "-":
+5948 new_flags = old_flag & ~(1 << off)
+5949 else:
+5950 new_flags = old_flag ^ (1 << off)
+ +5952 gdb.execute(f"set ({gef.arch.flag_register}) = {new_flags:#x}")
+ +5954 gef_print(gef.arch.flag_register_to_human())
+5955 return
+ + +5958@register
+5959class RemoteCommand(GenericCommand):
+5960 """GDB `target remote` command on steroids. This command will use the remote procfs to create
+5961 a local copy of the execution environment, including the target binary and its libraries
+5962 in the local temporary directory (the value by default is in `gef.config.tempdir`). Additionally, it
+5963 will fetch all the /proc/PID/maps and loads all its information. If procfs is not available remotely, the command
+5964 will likely fail. You can however still use the limited command provided by GDB `target remote`."""
+ +5966 _cmdline_ = "gef-remote"
+5967 _syntax_ = f"{_cmdline_} [OPTIONS] TARGET"
+5968 _example_ = [f"{_cmdline_} localhost 1234",
+5969 f"{_cmdline_} --pid 6789 localhost 1234",
+5970 f"{_cmdline_} --qemu-user --qemu-binary /bin/debugme localhost 4444 "]
+ +5972 def __init__(self) -> None:
+5973 super().__init__(prefix=False)
+5974 return
+ +5976 @parse_arguments({"host": "", "port": 0}, {"--pid": -1, "--qemu-user": True, "--qemu-binary": ""})
+5977 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+5978 if gef.session.remote is not None: 5978 ↛ 5979line 5978 didn't jump to line 5979, because the condition on line 5978 was never true
+5979 err("You already are in remote session. Close it first before opening a new one...")
+5980 return
+ +5982 # argument check
+5983 args : argparse.Namespace = kwargs["arguments"]
+5984 if not args.host or not args.port: 5984 ↛ 5985line 5984 didn't jump to line 5985, because the condition on line 5984 was never true
+5985 err("Missing parameters")
+5986 return
+ +5988 # qemu-user support
+5989 qemu_binary: Optional[pathlib.Path] = None
+5990 try:
+5991 if args.qemu_user:
+5992 qemu_binary = pathlib.Path(args.qemu_binary).expanduser().absolute() if args.qemu_binary else gef.session.file
+5993 if not qemu_binary or not qemu_binary.exists(): 5993 ↛ 5994line 5993 didn't jump to line 5994, because the condition on line 5993 was never true
+5994 raise FileNotFoundError(f"{qemu_binary} does not exist")
+5995 except Exception as e:
+5996 err(f"Failed to initialize qemu-user mode, reason: {str(e)}")
+5997 return
+ +5999 # try to establish the remote session, throw on error
+6000 # Set `.remote_initializing` to True here - `GefRemoteSessionManager` invokes code which
+6001 # calls `is_remote_debug` which checks if `remote_initializing` is True or `.remote` is None
+6002 # This prevents some spurious errors being thrown during startup
+6003 gef.session.remote_initializing = True
+6004 gef.session.remote = GefRemoteSessionManager(args.host, args.port, args.pid, qemu_binary)
+6005 gef.session.remote_initializing = False
+6006 reset_all_caches()
+6007 gdb.execute("context")
+6008 return
+ + +6011@register
+6012class SkipiCommand(GenericCommand):
+6013 """Skip N instruction(s) execution"""
+ +6015 _cmdline_ = "skipi"
+6016 _syntax_ = ("{_cmdline_} [LOCATION] [--n NUM_INSTRUCTIONS]"
+6017 "\n\tLOCATION\taddress/symbol from where to skip"
+6018 "\t--n NUM_INSTRUCTIONS\tSkip the specified number of instructions instead of the default 1.")
+ +6020 _example_ = [f"{_cmdline_}",
+6021 f"{_cmdline_} --n 3",
+6022 f"{_cmdline_} 0x69696969",
+6023 f"{_cmdline_} 0x69696969 --n 6",]
+ +6025 def __init__(self) -> None:
+6026 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6027 return
+ +6029 @only_if_gdb_running
+6030 @parse_arguments({"address": "$pc"}, {"--n": 1})
+6031 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6032 args : argparse.Namespace = kwargs["arguments"]
+6033 address = parse_address(args.address)
+6034 num_instructions = args.n
+ +6036 last_insn = gef_instruction_n(address, num_instructions-1)
+6037 total_bytes = (last_insn.address - address) + last_insn.size()
+6038 target_addr = address + total_bytes
+ +6040 info(f"skipping {num_instructions} instructions ({total_bytes} bytes) from {address:#x} to {target_addr:#x}")
+6041 gdb.execute(f"set $pc = {target_addr:#x}")
+6042 return
+ + +6045@register
+6046class NopCommand(GenericCommand):
+6047 """Patch the instruction(s) pointed by parameters with NOP. Note: this command is architecture
+6048 aware."""
+ +6050 _cmdline_ = "nop"
+6051 _syntax_ = ("{_cmdline_} [LOCATION] [--i ITEMS] [--f] [--n] [--b]"
+6052 "\n\tLOCATION\taddress/symbol to patch (by default this command replaces whole instructions)"
+6053 "\t--i ITEMS\tnumber of items to insert (default 1)"
+6054 "\t--f\tForce patch even when the selected settings could overwrite partial instructions"
+6055 "\t--n\tInstead of replacing whole instructions, insert ITEMS nop instructions, no matter how many instructions it overwrites"
+6056 "\t--b\tInstead of replacing whole instructions, fill ITEMS bytes with nops")
+6057 _example_ = [f"{_cmdline_}",
+6058 f"{_cmdline_} $pc+3",
+6059 f"{_cmdline_} --i 2 $pc+3",
+6060 f"{_cmdline_} --b",
+6061 f"{_cmdline_} --b $pc+3",
+6062 f"{_cmdline_} --f --b --i 2 $pc+3"
+6063 f"{_cmdline_} --n --i 2 $pc+3",]
+ +6065 def __init__(self) -> None:
+6066 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6067 return
+ +6069 @only_if_gdb_running
+6070 @parse_arguments({"address": "$pc"}, {"--i": 1, "--b": True, "--f": True, "--n": True})
+6071 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6072 args : argparse.Namespace = kwargs["arguments"]
+6073 address = parse_address(args.address)
+6074 nop = gef.arch.nop_insn
+6075 num_items = int(args.i) or 1
+6076 fill_bytes = bool(args.b)
+6077 fill_nops = bool(args.n)
+6078 force_flag = bool(args.f) or False
+ +6080 if fill_nops and fill_bytes:
+6081 err("--b and --n cannot be specified at the same time.")
+6082 return
+ +6084 total_bytes = 0
+6085 if fill_bytes:
+6086 total_bytes = num_items
+6087 elif fill_nops:
+6088 total_bytes = num_items * len(nop)
+6089 else:
+6090 try:
+6091 last_insn = gef_instruction_n(address, num_items-1)
+6092 last_addr = last_insn.address
+6093 except:
+6094 err(f"Cannot patch instruction at {address:#x} reaching unmapped area")
+6095 return
+6096 total_bytes = (last_addr - address) + gef_get_instruction_at(last_addr).size()
+ +6098 if len(nop) > total_bytes or total_bytes % len(nop):
+6099 warn(f"Patching {total_bytes} bytes at {address:#x} will result in LAST-NOP "
+6100 f"(byte nr {total_bytes % len(nop):#x}) broken and may cause a crash or "
+6101 "break disassembly.")
+6102 if not force_flag:
+6103 warn("Use --f (force) to ignore this warning.")
+6104 return
+ +6106 target_end_address = address + total_bytes
+6107 curr_ins = gef_current_instruction(address)
+6108 while curr_ins.address + curr_ins.size() < target_end_address:
+6109 if not Address(value=curr_ins.address + 1).valid:
+6110 err(f"Cannot patch instruction at {address:#x}: reaching unmapped area")
+6111 return
+6112 curr_ins = gef_next_instruction(curr_ins.address)
+ +6114 final_ins_end_addr = curr_ins.address + curr_ins.size()
+ +6116 if final_ins_end_addr != target_end_address:
+6117 warn(f"Patching {total_bytes} bytes at {address:#x} will result in LAST-INSTRUCTION "
+6118 f"({curr_ins.address:#x}) being partial overwritten and may cause a crash or "
+6119 "break disassembly.")
+6120 if not force_flag:
+6121 warn("Use --f (force) to ignore this warning.")
+6122 return
+ +6124 nops = bytearray(nop * total_bytes)
+6125 end_address = Address(value=address + total_bytes - 1)
+6126 if not end_address.valid: 6126 ↛ 6127line 6126 didn't jump to line 6127, because the condition on line 6126 was never true
+6127 err(f"Cannot patch instruction at {address:#x}: reaching unmapped "
+6128 f"area: {end_address:#x}")
+6129 return
+ +6131 ok(f"Patching {total_bytes} bytes from {address:#x}")
+6132 gef.memory.write(address, nops, total_bytes)
+ +6134 return
+ + +6137@register
+6138class StubCommand(GenericCommand):
+6139 """Stub out the specified function. This function is useful when needing to skip one
+6140 function to be called and disrupt your runtime flow (ex. fork)."""
+ +6142 _cmdline_ = "stub"
+6143 _syntax_ = (f"{_cmdline_} [--retval RETVAL] [address]"
+6144 "\taddress\taddress/symbol to stub out"
+6145 "\t--retval RETVAL\tSet the return value")
+6146 _example_ = f"{_cmdline_} --retval 0 fork"
+ +6148 def __init__(self) -> None:
+6149 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6150 return
+ +6152 @only_if_gdb_running
+6153 @parse_arguments({"address": ""}, {("-r", "--retval"): 0})
+6154 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6155 args : argparse.Namespace = kwargs["arguments"]
+6156 loc = args.address if args.address else f"*{gef.arch.pc:#x}"
+6157 StubBreakpoint(loc, args.retval)
+6158 return
+ + +6161@register
+6162class GlibcHeapCommand(GenericCommand):
+6163 """Base command to get information about the Glibc heap structure."""
+ +6165 _cmdline_ = "heap"
+6166 _syntax_ = f"{_cmdline_} (chunk|chunks|bins|arenas|set-arena)"
+ +6168 def __init__(self) -> None:
+6169 super().__init__(prefix=True)
+6170 return
+ +6172 @only_if_gdb_running
+6173 def do_invoke(self, _: List[str]) -> None:
+6174 self.usage()
+6175 return
+ + +6178@register
+6179class GlibcHeapSetArenaCommand(GenericCommand):
+6180 """Set the address of the main_arena or the currently selected arena."""
+ +6182 _cmdline_ = "heap set-arena"
+6183 _syntax_ = f"{_cmdline_} [address|&symbol]"
+6184 _example_ = f"{_cmdline_} 0x001337001337"
+ +6186 def __init__(self) -> None:
+6187 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6188 return
+ +6190 @only_if_gdb_running
+6191 @parse_arguments({"addr": ""}, {"--reset": True})
+6192 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6193 global gef
+ +6195 args: argparse.Namespace = kwargs["arguments"]
+ +6197 if args.reset: 6197 ↛ 6198line 6197 didn't jump to line 6198, because the condition on line 6197 was never true
+6198 gef.heap.reset_caches()
+6199 return
+ +6201 if not args.addr: 6201 ↛ 6202line 6201 didn't jump to line 6202, because the condition on line 6201 was never true
+6202 ok(f"Current arena set to: '{gef.heap.selected_arena}'")
+6203 return
+ +6205 try:
+6206 new_arena_address = parse_address(args.addr)
+6207 except gdb.error:
+6208 err("Invalid symbol for arena")
+6209 return
+ +6211 new_arena = GlibcArena( f"*{new_arena_address:#x}")
+6212 if new_arena in gef.heap.arenas: 6212 ↛ 6217line 6212 didn't jump to line 6217, because the condition on line 6212 was never false
+6213 # if entered arena is in arena list then just select it
+6214 gef.heap.selected_arena = new_arena
+6215 else:
+6216 # otherwise set the main arena to the entered arena
+6217 gef.heap.main_arena = new_arena
+6218 return
+ + +6221@register
+6222class GlibcHeapArenaCommand(GenericCommand):
+6223 """Display information on a heap chunk."""
+ +6225 _cmdline_ = "heap arenas"
+6226 _syntax_ = _cmdline_
+ +6228 @only_if_gdb_running
+6229 def do_invoke(self, _: List[str]) -> None:
+6230 for arena in gef.heap.arenas:
+6231 gef_print(str(arena))
+6232 return
+ + +6235@register
+6236class GlibcHeapChunkCommand(GenericCommand):
+6237 """Display information on a heap chunk.
+6238 See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123."""
+ +6240 _cmdline_ = "heap chunk"
+6241 _syntax_ = f"{_cmdline_} [-h] [--allow-unaligned] [--number] address"
+ +6243 def __init__(self) -> None:
+6244 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6245 return
+ +6247 @parse_arguments({"address": ""}, {"--allow-unaligned": True, "--number": 1})
+6248 @only_if_gdb_running
+6249 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6250 args : argparse.Namespace = kwargs["arguments"]
+6251 if not args.address: 6251 ↛ 6252line 6251 didn't jump to line 6252, because the condition on line 6251 was never true
+6252 err("Missing chunk address")
+6253 self.usage()
+6254 return
+ +6256 addr = parse_address(args.address)
+6257 current_chunk = GlibcChunk(addr, allow_unaligned=args.allow_unaligned)
+ +6259 if args.number > 1:
+6260 for _i in range(args.number): 6260 ↛ 6276line 6260 didn't jump to line 6276, because the loop on line 6260 didn't complete
+6261 if current_chunk.size == 0: 6261 ↛ 6262line 6261 didn't jump to line 6262, because the condition on line 6261 was never true
+6262 break
+ +6264 gef_print(str(current_chunk))
+6265 next_chunk_addr = current_chunk.get_next_chunk_addr()
+6266 if not Address(value=next_chunk_addr).valid:
+6267 break
+ +6269 next_chunk = current_chunk.get_next_chunk()
+6270 if next_chunk is None: 6270 ↛ 6271line 6270 didn't jump to line 6271, because the condition on line 6270 was never true
+6271 break
+ +6273 current_chunk = next_chunk
+6274 else:
+6275 gef_print(current_chunk.psprint())
+6276 return
+ + +6279@register
+6280class GlibcHeapChunksCommand(GenericCommand):
+6281 """Display all heap chunks for the current arena. As an optional argument
+6282 the base address of a different arena can be passed"""
+ +6284 _cmdline_ = "heap chunks"
+6285 _syntax_ = f"{_cmdline_} [-h] [--all] [--allow-unaligned] [arena_address]"
+6286 _example_ = (f"\n{_cmdline_}"
+6287 f"\n{_cmdline_} 0x555555775000")
+ +6289 def __init__(self) -> None:
+6290 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6291 self["peek_nb_byte"] = (16, "Hexdump N first byte(s) inside the chunk data (0 to disable)")
+6292 return
+ +6294 @parse_arguments({"arena_address": ""}, {("--all", "-a"): True, "--allow-unaligned": True})
+6295 @only_if_gdb_running
+6296 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6297 args = kwargs["arguments"]
+6298 if args.all or not args.arena_address:
+6299 for arena in gef.heap.arenas: 6299 ↛ 6303line 6299 didn't jump to line 6303, because the loop on line 6299 didn't complete
+6300 self.dump_chunks_arena(arena, print_arena=args.all, allow_unaligned=args.allow_unaligned)
+6301 if not args.all: 6301 ↛ 6299line 6301 didn't jump to line 6299, because the condition on line 6301 was never false
+6302 return
+6303 try:
+6304 arena_addr = parse_address(args.arena_address)
+6305 arena = GlibcArena(f"*{arena_addr:#x}")
+6306 self.dump_chunks_arena(arena, allow_unaligned=args.allow_unaligned)
+6307 except gdb.error:
+6308 err("Invalid arena")
+6309 return
+ +6311 def dump_chunks_arena(self, arena: GlibcArena, print_arena: bool = False, allow_unaligned: bool = False) -> None:
+6312 heap_addr = arena.heap_addr(allow_unaligned=allow_unaligned)
+6313 if heap_addr is None: 6313 ↛ 6314line 6313 didn't jump to line 6314, because the condition on line 6313 was never true
+6314 err("Could not find heap for arena")
+6315 return
+6316 if print_arena: 6316 ↛ 6317line 6316 didn't jump to line 6317, because the condition on line 6316 was never true
+6317 gef_print(str(arena))
+6318 if arena.is_main_arena():
+6319 heap_end = arena.top + GlibcChunk(arena.top, from_base=True).size
+6320 self.dump_chunks_heap(heap_addr, heap_end, arena, allow_unaligned=allow_unaligned)
+6321 else:
+6322 heap_info_structs = arena.get_heap_info_list() or []
+6323 for heap_info in heap_info_structs:
+6324 if not self.dump_chunks_heap(heap_info.heap_start, heap_info.heap_end, arena, allow_unaligned=allow_unaligned): 6324 ↛ 6325line 6324 didn't jump to line 6325, because the condition on line 6324 was never true
+6325 break
+6326 return
+ +6328 def dump_chunks_heap(self, start: int, end: int, arena: GlibcArena, allow_unaligned: bool = False) -> bool:
+6329 nb = self["peek_nb_byte"]
+6330 chunk_iterator = GlibcChunk(start, from_base=True, allow_unaligned=allow_unaligned)
+6331 for chunk in chunk_iterator: 6331 ↛ 6345line 6331 didn't jump to line 6345, because the loop on line 6331 didn't complete
+6332 if chunk.base_address == arena.top:
+6333 gef_print(
+6334 f"{chunk!s} {LEFT_ARROW} {Color.greenify('top chunk')}")
+6335 break
+ +6337 if chunk.base_address > end: 6337 ↛ 6338line 6337 didn't jump to line 6338, because the condition on line 6337 was never true
+6338 err("Corrupted heap, cannot continue.")
+6339 return False
+ +6341 line = str(chunk)
+6342 if nb: 6342 ↛ 6344line 6342 didn't jump to line 6344, because the condition on line 6342 was never false
+6343 line += f"\n [{hexdump(gef.memory.read(chunk.data_address, nb), nb, base=chunk.data_address)}]"
+6344 gef_print(line)
+6345 return True
+ + +6348@register
+6349class GlibcHeapBinsCommand(GenericCommand):
+6350 """Display information on the bins on an arena (default: main_arena).
+6351 See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123."""
+ +6353 _bin_types_ = ("tcache", "fast", "unsorted", "small", "large")
+6354 _cmdline_ = "heap bins"
+6355 _syntax_ = f"{_cmdline_} [{'|'.join(_bin_types_)}]"
+ +6357 def __init__(self) -> None:
+6358 super().__init__(prefix=True, complete=gdb.COMPLETE_LOCATION)
+6359 return
+ +6361 @only_if_gdb_running
+6362 def do_invoke(self, argv: List[str]) -> None:
+6363 if not argv:
+6364 for bin_t in self._bin_types_:
+6365 gdb.execute(f"heap bins {bin_t}")
+6366 return
+ +6368 bin_t = argv[0]
+6369 if bin_t not in self._bin_types_:
+6370 self.usage()
+6371 return
+ +6373 gdb.execute(f"heap bins {bin_t}")
+6374 return
+ +6376 @staticmethod
+6377 def pprint_bin(arena_addr: str, index: int, _type: str = "") -> int:
+6378 arena = GlibcArena(arena_addr)
+ +6380 fd, bk = arena.bin(index)
+6381 if (fd, bk) == (0x00, 0x00): 6381 ↛ 6382line 6381 didn't jump to line 6382, because the condition on line 6381 was never true
+6382 warn("Invalid backward and forward bin pointers(fw==bk==NULL)")
+6383 return -1
+ +6385 if _type == "tcache": 6385 ↛ 6386line 6385 didn't jump to line 6386, because the condition on line 6385 was never true
+6386 chunkClass = GlibcTcacheChunk
+6387 elif _type == "fast": 6387 ↛ 6388line 6387 didn't jump to line 6388, because the condition on line 6387 was never true
+6388 chunkClass = GlibcFastChunk
+6389 else:
+6390 chunkClass = GlibcChunk
+ +6392 nb_chunk = 0
+6393 head = chunkClass(bk, from_base=True).fd
+6394 if fd == head:
+6395 return nb_chunk
+ +6397 ok(f"{_type}bins[{index:d}]: fw={fd:#x}, bk={bk:#x}")
+ +6399 m = []
+6400 while fd != head:
+6401 chunk = chunkClass(fd, from_base=True)
+6402 m.append(f"{RIGHT_ARROW} {chunk!s}")
+6403 fd = chunk.fd
+6404 nb_chunk += 1
+ +6406 if m: 6406 ↛ 6408line 6406 didn't jump to line 6408, because the condition on line 6406 was never false
+6407 gef_print(" ".join(m))
+6408 return nb_chunk
+ + +6411@register
+6412class GlibcHeapTcachebinsCommand(GenericCommand):
+6413 """Display information on the Tcachebins on an arena (default: main_arena).
+6414 See https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc."""
+ +6416 _cmdline_ = "heap bins tcache"
+6417 _syntax_ = f"{_cmdline_} [all] [thread_ids...]"
+ +6419 TCACHE_MAX_BINS = 0x40
+ +6421 def __init__(self) -> None:
+6422 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6423 return
+ +6425 @only_if_gdb_running
+6426 def do_invoke(self, argv: List[str]) -> None:
+6427 # Determine if we are using libc with tcache built in (2.26+)
+6428 if gef.libc.version and gef.libc.version < (2, 26): 6428 ↛ 6429line 6428 didn't jump to line 6429, because the condition on line 6428 was never true
+6429 info("No Tcache in this version of libc")
+6430 return
+ +6432 current_thread = gdb.selected_thread()
+6433 if current_thread is None: 6433 ↛ 6434line 6433 didn't jump to line 6434, because the condition on line 6433 was never true
+6434 err("Couldn't find current thread")
+6435 return
+ +6437 # As a nicety, we want to display threads in ascending order by gdb number
+6438 threads = sorted(gdb.selected_inferior().threads(), key=lambda t: t.num)
+6439 if argv:
+6440 if "all" in argv: 6440 ↛ 6443line 6440 didn't jump to line 6443, because the condition on line 6440 was never false
+6441 tids = [t.num for t in threads]
+6442 else:
+6443 tids = self.check_thread_ids([int(a) for a in argv])
+6444 else:
+6445 tids = [current_thread.num]
+ +6447 for thread in threads:
+6448 if thread.num not in tids:
+6449 continue
+ +6451 thread.switch()
+ +6453 tcache_addr = self.find_tcache()
+6454 if tcache_addr == 0: 6454 ↛ 6455line 6454 didn't jump to line 6455, because the condition on line 6454 was never true
+6455 info(f"Uninitialized tcache for thread {thread.num:d}")
+6456 continue
+ +6458 gef_print(titlify(f"Tcachebins for thread {thread.num:d}"))
+6459 tcache_empty = True
+6460 for i in range(self.TCACHE_MAX_BINS):
+6461 chunk, count = self.tcachebin(tcache_addr, i)
+6462 chunks = set()
+6463 msg = []
+6464 chunk_size = 0
+ +6466 # Only print the entry if there are valid chunks. Don't trust count
+6467 while True:
+6468 if chunk is None:
+6469 break
+ +6471 try:
+6472 msg.append(f"{LEFT_ARROW} {chunk!s} ")
+6473 if not chunk_size:
+6474 chunk_size = chunk.usable_size
+ +6476 if chunk.data_address in chunks: 6476 ↛ 6477line 6476 didn't jump to line 6477, because the condition on line 6476 was never true
+6477 msg.append(f"{RIGHT_ARROW} [loop detected]")
+6478 break
+ +6480 chunks.add(chunk.data_address)
+ +6482 next_chunk = chunk.fd
+6483 if next_chunk == 0:
+6484 break
+ +6486 chunk = GlibcTcacheChunk(next_chunk)
+6487 except gdb.MemoryError:
+6488 msg.append(f"{LEFT_ARROW} [Corrupted chunk at {chunk.data_address:#x}]")
+6489 break
+ +6491 if msg:
+6492 tcache_empty = False
+6493 tidx = gef.heap.csize2tidx(chunk_size)
+6494 size = gef.heap.tidx2size(tidx)
+6495 count = len(chunks)
+6496 gef_print(f"Tcachebins[idx={tidx:d}, size={size:#x}, count={count}]", end="")
+6497 gef_print("".join(msg))
+ +6499 if tcache_empty:
+6500 gef_print("All tcachebins are empty")
+ +6502 current_thread.switch()
+6503 return
+ +6505 @staticmethod
+6506 def find_tcache() -> int:
+6507 """Return the location of the current thread's tcache."""
+6508 try:
+6509 # For multithreaded binaries, the tcache symbol (in thread local
+6510 # storage) will give us the correct address.
+6511 tcache_addr = parse_address("(void *) tcache")
+6512 except gdb.error:
+6513 # In binaries not linked with pthread (and therefore there is only
+6514 # one thread), we can't use the tcache symbol, but we can guess the
+6515 # correct address because the tcache is consistently the first
+6516 # allocation in the main arena.
+6517 heap_base = gef.heap.base_address
+6518 if heap_base is None:
+6519 err("No heap section")
+6520 return 0x0
+6521 tcache_addr = heap_base + 0x10
+6522 return tcache_addr
+ +6524 @staticmethod
+6525 def check_thread_ids(tids: List[int]) -> List[int]:
+6526 """Return the subset of tids that are currently valid."""
+6527 existing_tids = set(t.num for t in gdb.selected_inferior().threads())
+6528 return list(set(tids) & existing_tids)
+ +6530 @staticmethod
+6531 def tcachebin(tcache_base: int, i: int) -> Tuple[Optional[GlibcTcacheChunk], int]:
+6532 """Return the head chunk in tcache[i] and the number of chunks in the bin."""
+6533 if i >= GlibcHeapTcachebinsCommand.TCACHE_MAX_BINS: 6533 ↛ 6534line 6533 didn't jump to line 6534, because the condition on line 6533 was never true
+6534 err("Incorrect index value, index value must be between 0 and {}-1, given {}".format(GlibcHeapTcachebinsCommand.TCACHE_MAX_BINS, i))
+6535 return None, 0
+ +6537 tcache_chunk = GlibcTcacheChunk(tcache_base)
+ +6539 # Glibc changed the size of the tcache in version 2.30; this fix has
+6540 # been backported inconsistently between distributions. We detect the
+6541 # difference by checking the size of the allocated chunk for the
+6542 # tcache.
+6543 # Minimum usable size of allocated tcache chunk = ?
+6544 # For new tcache:
+6545 # TCACHE_MAX_BINS * _2_ + TCACHE_MAX_BINS * ptrsize
+6546 # For old tcache:
+6547 # TCACHE_MAX_BINS * _1_ + TCACHE_MAX_BINS * ptrsize
+6548 new_tcache_min_size = (
+6549 GlibcHeapTcachebinsCommand.TCACHE_MAX_BINS * 2 +
+6550 GlibcHeapTcachebinsCommand.TCACHE_MAX_BINS * gef.arch.ptrsize)
+ +6552 if tcache_chunk.usable_size < new_tcache_min_size: 6552 ↛ 6553line 6552 didn't jump to line 6553, because the condition on line 6552 was never true
+6553 tcache_count_size = 1
+6554 count = ord(gef.memory.read(tcache_base + tcache_count_size*i, 1))
+6555 else:
+6556 tcache_count_size = 2
+6557 count = u16(gef.memory.read(tcache_base + tcache_count_size*i, 2))
+ +6559 chunk = dereference(tcache_base + tcache_count_size*GlibcHeapTcachebinsCommand.TCACHE_MAX_BINS + i*gef.arch.ptrsize)
+6560 chunk = GlibcTcacheChunk(int(chunk)) if chunk else None
+6561 return chunk, count
+ + +6564@register
+6565class GlibcHeapFastbinsYCommand(GenericCommand):
+6566 """Display information on the fastbinsY on an arena (default: main_arena).
+6567 See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123."""
+ +6569 _cmdline_ = "heap bins fast"
+6570 _syntax_ = f"{_cmdline_} [ARENA_ADDRESS]"
+ +6572 def __init__(self) -> None:
+6573 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6574 return
+ +6576 @parse_arguments({"arena_address": ""}, {})
+6577 @only_if_gdb_running
+6578 def do_invoke(self, *_: Any, **kwargs: Any) -> None:
+6579 def fastbin_index(sz: int) -> int:
+6580 return (sz >> 4) - 2 if SIZE_SZ == 8 else (sz >> 3) - 2
+ +6582 args : argparse.Namespace = kwargs["arguments"]
+6583 if not gef.heap.main_arena: 6583 ↛ 6584line 6583 didn't jump to line 6584, because the condition on line 6583 was never true
+6584 err("Heap not initialized")
+6585 return
+ +6587 SIZE_SZ = gef.arch.ptrsize
+6588 MAX_FAST_SIZE = 80 * SIZE_SZ // 4
+6589 NFASTBINS = fastbin_index(MAX_FAST_SIZE) - 1
+ +6591 arena = GlibcArena(f"*{args.arena_address}") if args.arena_address else gef.heap.selected_arena
+6592 if arena is None: 6592 ↛ 6593line 6592 didn't jump to line 6593, because the condition on line 6592 was never true
+6593 err("Invalid Glibc arena")
+6594 return
+ +6596 gef_print(titlify(f"Fastbins for arena at {arena.addr:#x}"))
+6597 for i in range(NFASTBINS):
+6598 gef_print(f"Fastbins[idx={i:d}, size={(i+2)*SIZE_SZ*2:#x}] ", end="")
+6599 chunk = arena.fastbin(i)
+6600 chunks = set()
+ +6602 while True:
+6603 if chunk is None:
+6604 gef_print("0x00", end="")
+6605 break
+ +6607 try:
+6608 gef_print(f"{LEFT_ARROW} {chunk!s} ", end="")
+6609 if chunk.data_address in chunks: 6609 ↛ 6610line 6609 didn't jump to line 6610, because the condition on line 6609 was never true
+6610 gef_print(f"{RIGHT_ARROW} [loop detected]", end="")
+6611 break
+ +6613 if fastbin_index(chunk.size) != i: 6613 ↛ 6614line 6613 didn't jump to line 6614, because the condition on line 6613 was never true
+6614 gef_print("[incorrect fastbin_index] ", end="")
+ +6616 chunks.add(chunk.data_address)
+ +6618 next_chunk = chunk.fd
+6619 if next_chunk == 0: 6619 ↛ 6622line 6619 didn't jump to line 6622, because the condition on line 6619 was never false
+6620 break
+ +6622 chunk = GlibcFastChunk(next_chunk, from_base=True)
+6623 except gdb.MemoryError:
+6624 gef_print(f"{LEFT_ARROW} [Corrupted chunk at {chunk.data_address:#x}]", end="")
+6625 break
+6626 gef_print()
+6627 return
+ + +6630@register
+6631class GlibcHeapUnsortedBinsCommand(GenericCommand):
+6632 """Display information on the Unsorted Bins of an arena (default: main_arena).
+6633 See: https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1689."""
+ +6635 _cmdline_ = "heap bins unsorted"
+6636 _syntax_ = f"{_cmdline_} [ARENA_ADDRESS]"
+ +6638 def __init__(self) -> None:
+6639 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6640 return
+ +6642 @parse_arguments({"arena_address": ""}, {})
+6643 @only_if_gdb_running
+6644 def do_invoke(self, *_: Any, **kwargs: Any) -> None:
+6645 args : argparse.Namespace = kwargs["arguments"]
+6646 if gef.heap.main_arena is None: 6646 ↛ 6647line 6646 didn't jump to line 6647, because the condition on line 6646 was never true
+6647 err("Heap not initialized")
+6648 return
+6649 arena_addr = args.arena_address if args.arena_address else f"{gef.heap.selected_arena.addr:#x}"
+6650 gef_print(titlify(f"Unsorted Bin for arena at {arena_addr}"))
+6651 nb_chunk = GlibcHeapBinsCommand.pprint_bin(f"*{arena_addr}", 0, "unsorted_")
+6652 if nb_chunk >= 0: 6652 ↛ 6654line 6652 didn't jump to line 6654, because the condition on line 6652 was never false
+6653 info(f"Found {nb_chunk:d} chunks in unsorted bin.")
+6654 return
+ + +6657@register
+6658class GlibcHeapSmallBinsCommand(GenericCommand):
+6659 """Convenience command for viewing small bins."""
+ +6661 _cmdline_ = "heap bins small"
+6662 _syntax_ = f"{_cmdline_} [ARENA_ADDRESS]"
+ +6664 def __init__(self) -> None:
+6665 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6666 return
+ +6668 @parse_arguments({"arena_address": ""}, {})
+6669 @only_if_gdb_running
+6670 def do_invoke(self, *_: Any, **kwargs: Any) -> None:
+6671 args : argparse.Namespace = kwargs["arguments"]
+6672 if not gef.heap.main_arena: 6672 ↛ 6673line 6672 didn't jump to line 6673, because the condition on line 6672 was never true
+6673 err("Heap not initialized")
+6674 return
+ +6676 arena_address = args.arena_address or f"{gef.heap.selected_arena.address:#x}"
+6677 gef_print(titlify(f"Small Bins for arena at {arena_address}"))
+6678 bins = {}
+6679 for i in range(1, 63):
+6680 nb_chunk = GlibcHeapBinsCommand.pprint_bin(f"*{arena_address}", i, "small_")
+6681 if nb_chunk < 0: 6681 ↛ 6682line 6681 didn't jump to line 6682, because the condition on line 6681 was never true
+6682 break
+6683 if nb_chunk > 0:
+6684 bins[i] = nb_chunk
+6685 info(f"Found {sum(bins.values()):d} chunks in {len(bins):d} small non-empty bins.")
+6686 return
+ + +6689@register
+6690class GlibcHeapLargeBinsCommand(GenericCommand):
+6691 """Convenience command for viewing large bins."""
+ +6693 _cmdline_ = "heap bins large"
+6694 _syntax_ = f"{_cmdline_} [ARENA_ADDRESS]"
+ +6696 def __init__(self) -> None:
+6697 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6698 return
+ +6700 @parse_arguments({"arena_address": ""}, {})
+6701 @only_if_gdb_running
+6702 def do_invoke(self, *_: Any, **kwargs: Any) -> None:
+6703 args : argparse.Namespace = kwargs["arguments"]
+6704 if gef.heap.main_arena is None: 6704 ↛ 6705line 6704 didn't jump to line 6705, because the condition on line 6704 was never true
+6705 err("Heap not initialized")
+6706 return
+ +6708 arena_addr = args.arena_address if args.arena_address else f"{gef.heap.selected_arena.addr:#x}"
+6709 gef_print(titlify(f"Large Bins for arena at {arena_addr}"))
+6710 bins = {}
+6711 for i in range(63, 126):
+6712 nb_chunk = GlibcHeapBinsCommand.pprint_bin(f"*{arena_addr}", i, "large_")
+6713 if nb_chunk < 0: 6713 ↛ 6714line 6713 didn't jump to line 6714, because the condition on line 6713 was never true
+6714 break
+6715 if nb_chunk > 0:
+6716 bins[i] = nb_chunk
+6717 info(f"Found {sum(bins.values()):d} chunks in {len(bins):d} large non-empty bins.")
+6718 return
+ + +6721@register
+6722class SolveKernelSymbolCommand(GenericCommand):
+6723 """Solve kernel symbols from kallsyms table."""
+ +6725 _cmdline_ = "ksymaddr"
+6726 _syntax_ = f"{_cmdline_} SymbolToSearch"
+6727 _example_ = f"{_cmdline_} prepare_creds"
+ +6729 @parse_arguments({"symbol": ""}, {})
+6730 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6731 def hex_to_int(num):
+6732 try:
+6733 return int(num, 16)
+6734 except ValueError:
+6735 return 0
+6736 args : argparse.Namespace = kwargs["arguments"]
+6737 if not args.symbol: 6737 ↛ 6738line 6737 didn't jump to line 6738, because the condition on line 6737 was never true
+6738 self.usage()
+6739 return
+6740 sym = args.symbol
+6741 with open("/proc/kallsyms", "r") as f:
+6742 syms = [line.strip().split(" ", 2) for line in f]
+6743 matches = [(hex_to_int(addr), sym_t, " ".join(name.split())) for addr, sym_t, name in syms if sym in name]
+6744 for addr, sym_t, name in matches:
+6745 if sym == name.split()[0]:
+6746 ok(f"Found matching symbol for '{name}' at {addr:#x} (type={sym_t})")
+6747 else:
+6748 warn(f"Found partial match for '{sym}' at {addr:#x} (type={sym_t}): {name}")
+6749 if not matches: 6749 ↛ 6750line 6749 didn't jump to line 6750, because the condition on line 6749 was never true
+6750 err(f"No match for '{sym}'")
+6751 elif matches[0][0] == 0: 6751 ↛ 6753line 6751 didn't jump to line 6753, because the condition on line 6751 was never false
+6752 err("Check that you have the correct permissions to view kernel symbol addresses")
+6753 return
+ + +6756@register
+6757class DetailRegistersCommand(GenericCommand):
+6758 """Display full details on one, many or all registers value from current architecture."""
+ +6760 _cmdline_ = "registers"
+6761 _syntax_ = f"{_cmdline_} [[Register1][Register2] ... [RegisterN]]"
+6762 _example_ = (f"\n{_cmdline_}"
+6763 f"\n{_cmdline_} $eax $eip $esp")
+ +6765 @only_if_gdb_running
+6766 @parse_arguments({"registers": [""]}, {})
+6767 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+6768 unchanged_color = gef.config["theme.registers_register_name"]
+6769 changed_color = gef.config["theme.registers_value_changed"]
+6770 string_color = gef.config["theme.dereference_string"]
+6771 regs = gef.arch.all_registers
+ +6773 args : argparse.Namespace = kwargs["arguments"]
+6774 if args.registers and args.registers[0]:
+6775 requested_regs = set(args.registers)
+6776 valid_regs = set(gef.arch.all_registers) & requested_regs
+6777 if valid_regs: 6777 ↛ 6779line 6777 didn't jump to line 6779, because the condition on line 6777 was never false
+6778 regs = valid_regs
+6779 invalid_regs = requested_regs - valid_regs
+6780 if invalid_regs: 6780 ↛ 6781line 6780 didn't jump to line 6781, because the condition on line 6780 was never true
+6781 err(f"invalid registers for architecture: {', '.join(invalid_regs)}")
+ +6783 memsize = gef.arch.ptrsize
+6784 endian = str(gef.arch.endianness)
+6785 charset = string.printable
+6786 widest = max(map(len, gef.arch.all_registers))
+6787 special_line = ""
+ +6789 for regname in regs:
+6790 reg = gdb.parse_and_eval(regname)
+6791 if reg.type.code == gdb.TYPE_CODE_VOID: 6791 ↛ 6792line 6791 didn't jump to line 6792, because the condition on line 6791 was never true
+6792 continue
+ +6794 padreg = regname.ljust(widest, " ")
+ +6796 if str(reg) == "<unavailable>": 6796 ↛ 6797line 6796 didn't jump to line 6797, because the condition on line 6796 was never true
+6797 gef_print(f"{Color.colorify(padreg, unchanged_color)}: "
+6798 f"{Color.colorify('no value', 'yellow underline')}")
+6799 continue
+ +6801 value = align_address(int(reg))
+6802 old_value = ContextCommand.old_registers.get(regname, 0)
+6803 if value == old_value:
+6804 color = unchanged_color
+6805 else:
+6806 color = changed_color
+ +6808 # Special (e.g. segment) registers go on their own line
+6809 if regname in gef.arch.special_registers:
+6810 special_line += f"{Color.colorify(regname, color)}: "
+6811 special_line += f"{gef.arch.register(regname):#04x} "
+6812 continue
+ +6814 line = f"{Color.colorify(padreg, color)}: "
+ +6816 if regname == gef.arch.flag_register:
+6817 line += gef.arch.flag_register_to_human()
+6818 gef_print(line)
+6819 continue
+ +6821 addr = lookup_address(align_address(int(value)))
+6822 if addr.valid:
+6823 line += str(addr)
+6824 else:
+6825 line += format_address_spaces(value)
+6826 addrs = dereference_from(value)
+ +6828 if len(addrs) > 1:
+6829 sep = f" {RIGHT_ARROW} "
+6830 line += sep
+6831 line += sep.join(addrs[1:])
+ +6833 # check to see if reg value is ascii
+6834 try:
+6835 fmt = f"{endian}{'I' if memsize == 4 else 'Q'}"
+6836 last_addr = int(addrs[-1], 16)
+6837 val = gef_pystring(struct.pack(fmt, last_addr))
+6838 if all([_ in charset for _ in val]):
+6839 line += f" (\"{Color.colorify(val, string_color)}\"?)"
+6840 except ValueError:
+6841 pass
+ +6843 gef_print(line)
+ +6845 if special_line: 6845 ↛ 6847line 6845 didn't jump to line 6847, because the condition on line 6845 was never false
+6846 gef_print(special_line)
+6847 return
+ + +6850@register
+6851class ShellcodeCommand(GenericCommand):
+6852 """ShellcodeCommand uses @JonathanSalwan simple-yet-awesome shellcode API to
+6853 download shellcodes."""
+ +6855 _cmdline_ = "shellcode"
+6856 _syntax_ = f"{_cmdline_} (search|get)"
+ +6858 def __init__(self) -> None:
+6859 super().__init__(prefix=True)
+6860 return
+ +6862 def do_invoke(self, _: List[str]) -> None:
+6863 err("Missing sub-command (search|get)")
+6864 self.usage()
+6865 return
+ + +6868@register
+6869class ShellcodeSearchCommand(GenericCommand):
+6870 """Search pattern in shell-storm's shellcode database."""
+ +6872 _cmdline_ = "shellcode search"
+6873 _syntax_ = f"{_cmdline_} PATTERN1 PATTERN2"
+6874 _aliases_ = ["sc-search",]
+ +6876 api_base = "http://shell-storm.org"
+6877 search_url = f"{api_base}/api/?s="
+ +6879 def do_invoke(self, argv: List[str]) -> None:
+6880 if not argv: 6880 ↛ 6881line 6880 didn't jump to line 6881, because the condition on line 6880 was never true
+6881 err("Missing pattern to search")
+6882 self.usage()
+6883 return
+ +6885 self.search_shellcode(argv)
+6886 return
+ +6888 def search_shellcode(self, search_options: List) -> None:
+6889 # API : http://shell-storm.org/shellcode/
+6890 args = "*".join(search_options)
+ +6892 res = http_get(self.search_url + args)
+6893 if res is None: 6893 ↛ 6894line 6893 didn't jump to line 6894, because the condition on line 6893 was never true
+6894 err("Could not query search page")
+6895 return
+ +6897 ret = gef_pystring(res)
+ +6899 # format: [author, OS/arch, cmd, id, link]
+6900 lines = ret.split("\\n")
+6901 refs = [line.split("::::") for line in lines]
+ +6903 if refs: 6903 ↛ 6914line 6903 didn't jump to line 6914, because the condition on line 6903 was never false
+6904 info("Showing matching shellcodes")
+6905 info("\t".join(["Id", "Platform", "Description"]))
+6906 for ref in refs:
+6907 try:
+6908 _, arch, cmd, sid, _ = ref
+6909 gef_print("\t".join([sid, arch, cmd]))
+6910 except ValueError:
+6911 continue
+ +6913 info("Use `shellcode get <id>` to fetch shellcode")
+6914 return
+ + +6917@register
+6918class ShellcodeGetCommand(GenericCommand):
+6919 """Download shellcode from shell-storm's shellcode database."""
+ +6921 _cmdline_ = "shellcode get"
+6922 _syntax_ = f"{_cmdline_} SHELLCODE_ID"
+6923 _aliases_ = ["sc-get",]
+ +6925 api_base = "http://shell-storm.org"
+6926 get_url = f"{api_base}/shellcode/files/shellcode-{{:d}}.html"
+ +6928 def do_invoke(self, argv: List[str]) -> None:
+6929 if len(argv) != 1: 6929 ↛ 6930line 6929 didn't jump to line 6930, because the condition on line 6929 was never true
+6930 err("Missing ID to download")
+6931 self.usage()
+6932 return
+ +6934 if not argv[0].isdigit(): 6934 ↛ 6935line 6934 didn't jump to line 6935, because the condition on line 6934 was never true
+6935 err("ID is not a number")
+6936 self.usage()
+6937 return
+ +6939 self.get_shellcode(int(argv[0]))
+6940 return
+ +6942 def get_shellcode(self, sid: int) -> None:
+6943 info(f"Downloading shellcode id={sid}")
+6944 res = http_get(self.get_url.format(sid))
+6945 if res is None:
+6946 err(f"Failed to fetch shellcode #{sid}")
+6947 return
+ +6949 ok("Downloaded, written to disk...")
+6950 with tempfile.NamedTemporaryFile(prefix="sc-", suffix=".txt", mode='w+b', delete=False, dir=gef.config["gef.tempdir"]) as fd:
+6951 shellcode = res.split(b"<pre>")[1].split(b"</pre>")[0]
+6952 shellcode = shellcode.replace(b""", b'"')
+6953 fd.write(shellcode)
+6954 ok(f"Shellcode written to '{fd.name}'")
+6955 return
+ + +6958@register
+6959class ProcessListingCommand(GenericCommand):
+6960 """List and filter process. If a PATTERN is given as argument, results shown will be grepped
+6961 by this pattern."""
+ +6963 _cmdline_ = "process-search"
+6964 _syntax_ = f"{_cmdline_} [-h] [--attach] [--smart-scan] [REGEX_PATTERN]"
+6965 _aliases_ = ["ps"]
+6966 _example_ = f"{_cmdline_} gdb.*"
+ +6968 def __init__(self) -> None:
+6969 super().__init__(complete=gdb.COMPLETE_LOCATION)
+6970 self["ps_command"] = (f"{gef.session.constants['ps']} auxww", "`ps` command to get process information")
+6971 return
+ +6973 @parse_arguments({"pattern": ""}, {"--attach": True, "--smart-scan": True})
+6974 def do_invoke(self, _: List, **kwargs: Any) -> None:
+6975 args : argparse.Namespace = kwargs["arguments"]
+6976 do_attach = args.attach
+6977 smart_scan = args.smart_scan
+6978 pattern = args.pattern
+6979 pattern = re.compile("^.*$") if not args else re.compile(pattern)
+ +6981 for process in self.get_processes():
+6982 pid = int(process["pid"])
+6983 command = process["command"]
+ +6985 if not re.search(pattern, command):
+6986 continue
+ +6988 if smart_scan:
+6989 if command.startswith("[") and command.endswith("]"): continue 6989 ↛ 6981line 6989 didn't jump to line 6981, because the continue on line 6989 wasn't executed
+6990 if command.startswith("socat "): continue 6990 ↛ 6981line 6990 didn't jump to line 6981, because the continue on line 6990 wasn't executed
+6991 if command.startswith("grep "): continue 6991 ↛ 6981line 6991 didn't jump to line 6981, because the continue on line 6991 wasn't executed
+6992 if command.startswith("gdb "): continue 6992 ↛ 6994line 6992 didn't jump to line 6994, because the condition on line 6992 was never false
+ +6994 if args and do_attach: 6994 ↛ 6995line 6994 didn't jump to line 6995, because the condition on line 6994 was never true
+6995 ok(f"Attaching to process='{process['command']}' pid={pid:d}")
+6996 gdb.execute(f"attach {pid:d}")
+6997 return None
+ +6999 line = [process[i] for i in ("pid", "user", "cpu", "mem", "tty", "command")]
+7000 gef_print("\t\t".join(line))
+ +7002 return None
+ +7004 def get_processes(self) -> Generator[Dict[str, str], None, None]:
+7005 output = gef_execute_external(self["ps_command"].split(), True)
+7006 names = [x.lower().replace("%", "") for x in output[0].split()]
+ +7008 for line in output[1:]:
+7009 fields = line.split()
+7010 t = {}
+ +7012 for i, name in enumerate(names):
+7013 if i == len(names) - 1:
+7014 t[name] = " ".join(fields[i:])
+7015 else:
+7016 t[name] = fields[i]
+ +7018 yield t
+ +7020 return
+ + +7023@register
+7024class ElfInfoCommand(GenericCommand):
+7025 """Display a limited subset of ELF header information. If no argument is provided, the command will
+7026 show information about the current ELF being debugged."""
+ +7028 _cmdline_ = "elf-info"
+7029 _syntax_ = f"{_cmdline_} [FILE]"
+7030 _example_ = f"{_cmdline_} /bin/ls"
+ +7032 def __init__(self) -> None:
+7033 super().__init__(complete=gdb.COMPLETE_LOCATION)
+7034 return
+ +7036 @parse_arguments({}, {"--filename": ""})
+7037 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+7038 args : argparse.Namespace = kwargs["arguments"]
+ +7040 if is_qemu_system(): 7040 ↛ 7041line 7040 didn't jump to line 7041, because the condition on line 7040 was never true
+7041 err("Unsupported")
+7042 return
+ +7044 filename = args.filename or get_filepath()
+7045 if filename is None: 7045 ↛ 7046line 7045 didn't jump to line 7046, because the condition on line 7045 was never true
+7046 return
+ +7048 try:
+7049 elf = Elf(filename)
+7050 except ValueError as ve:
+7051 err(f"`{filename}` is an invalid value for ELF file")
+7052 return
+ +7054 data = [
+7055 ("Magic", f"{hexdump(struct.pack('>I', elf.e_magic), show_raw=True)}"),
+7056 ("Class", f"{elf.e_class.value:#x} - {elf.e_class.name}"),
+7057 ("Endianness", f"{elf.e_endianness.value:#x} - {Endianness(elf.e_endianness).name}"),
+7058 ("Version", f"{elf.e_eiversion:#x}"),
+7059 ("OS ABI", f"{elf.e_osabi.value:#x} - {elf.e_osabi.name if elf.e_osabi else ''}"),
+7060 ("ABI Version", f"{elf.e_abiversion:#x}"),
+7061 ("Type", f"{elf.e_type.value:#x} - {elf.e_type.name}"),
+7062 ("Machine", f"{elf.e_machine.value:#x} - {elf.e_machine.name}"),
+7063 ("Program Header Table", f"{format_address(elf.e_phoff)}"),
+7064 ("Section Header Table", f"{format_address(elf.e_shoff)}"),
+7065 ("Header Table", f"{format_address(elf.e_phoff)}"),
+7066 ("ELF Version", f"{elf.e_version:#x}"),
+7067 ("Header size", "{0} ({0:#x})".format(elf.e_ehsize)),
+7068 ("Entry point", f"{format_address(elf.e_entry)}"),
+7069 ]
+ +7071 for title, content in data:
+7072 gef_print(f"{Color.boldify(f'{title:<22}')}: {content}")
+ +7074 gef_print("")
+7075 gef_print(titlify("Program Header"))
+ +7077 gef_print(" [{:>2s}] {:12s} {:>8s} {:>10s} {:>10s} {:>8s} {:>8s} {:5s} {:>8s}".format(
+7078 "#", "Type", "Offset", "Virtaddr", "Physaddr", "FileSiz", "MemSiz", "Flags", "Align"))
+ +7080 for i, p in enumerate(elf.phdrs):
+7081 p_type = p.p_type.name if p.p_type else ""
+7082 p_flags = str(p.p_flags.name).lstrip("Flag.") if p.p_flags else "???"
+ +7084 gef_print(" [{:2d}] {:12s} {:#8x} {:#10x} {:#10x} {:#8x} {:#8x} {:5s} {:#8x}".format(
+7085 i, p_type, p.p_offset, p.p_vaddr, p.p_paddr, p.p_filesz, p.p_memsz, p_flags, p.p_align))
+ +7087 gef_print("")
+7088 gef_print(titlify("Section Header"))
+7089 gef_print(" [{:>2s}] {:20s} {:>15s} {:>10s} {:>8s} {:>8s} {:>8s} {:5s} {:4s} {:4s} {:>8s}".format(
+7090 "#", "Name", "Type", "Address", "Offset", "Size", "EntSiz", "Flags", "Link", "Info", "Align"))
+ +7092 for i, s in enumerate(elf.shdrs):
+7093 sh_type = s.sh_type.name if s.sh_type else "UNKN"
+7094 sh_flags = str(s.sh_flags).lstrip("Flags.") if s.sh_flags else "UNKN"
+ +7096 gef_print(f" [{i:2d}] {s.name:20s} {sh_type:>15s} {s.sh_addr:#10x} {s.sh_offset:#8x} "
+7097 f"{s.sh_size:#8x} {s.sh_entsize:#8x} {sh_flags:5s} {s.sh_link:#4x} {s.sh_info:#4x} {s.sh_addralign:#8x}")
+7098 return
+ + +7101@register
+7102class EntryPointBreakCommand(GenericCommand):
+7103 """Tries to find best entry point and sets a temporary breakpoint on it. The command will test for
+7104 well-known symbols for entry points, such as `main`, `_main`, `__libc_start_main`, etc. defined by
+7105 the setting `entrypoint_symbols`."""
+ +7107 _cmdline_ = "entry-break"
+7108 _syntax_ = _cmdline_
+7109 _aliases_ = ["start",]
+ +7111 def __init__(self) -> None:
+7112 super().__init__()
+7113 self["entrypoint_symbols"] = ("main _main __libc_start_main __uClibc_main start _start", "Possible symbols for entry points")
+7114 return
+ +7116 def do_invoke(self, argv: List[str]) -> None:
+7117 fpath = get_filepath()
+7118 if fpath is None: 7118 ↛ 7119line 7118 didn't jump to line 7119, because the condition on line 7118 was never true
+7119 warn("No executable to debug, use `file` to load a binary")
+7120 return
+ +7122 if not os.access(fpath, os.X_OK): 7122 ↛ 7123line 7122 didn't jump to line 7123, because the condition on line 7122 was never true
+7123 warn(f"The file '{fpath}' is not executable.")
+7124 return
+ +7126 if is_alive() and not gef.session.qemu_mode:
+7127 warn("gdb is already running")
+7128 return
+ +7130 bp = None
+7131 entrypoints = self["entrypoint_symbols"].split()
+ +7133 for sym in entrypoints: 7133 ↛ 7149line 7133 didn't jump to line 7149, because the loop on line 7133 didn't complete
+7134 try:
+7135 value = parse_address(sym)
+7136 info(f"Breaking at '{value:#x}'")
+7137 bp = EntryBreakBreakpoint(sym)
+7138 gdb.execute(f"run {' '.join(argv)}")
+7139 return
+ +7141 except gdb.error as gdb_error:
+7142 if 'The "remote" target does not support "run".' in str(gdb_error):
+7143 # this case can happen when doing remote debugging
+7144 gdb.execute("continue")
+7145 return
+7146 continue
+ +7148 # if here, clear the breakpoint if any set
+7149 if bp:
+7150 bp.delete()
+ +7152 # break at entry point
+7153 entry = gef.binary.entry_point
+ +7155 if is_pie(fpath):
+7156 self.set_init_tbreak_pie(entry, argv)
+7157 gdb.execute("continue")
+7158 return
+ +7160 self.set_init_tbreak(entry)
+7161 gdb.execute(f"run {' '.join(argv)}")
+7162 return
+ +7164 def set_init_tbreak(self, addr: int) -> EntryBreakBreakpoint:
+7165 info(f"Breaking at entry-point: {addr:#x}")
+7166 bp = EntryBreakBreakpoint(f"*{addr:#x}")
+7167 return bp
+ +7169 def set_init_tbreak_pie(self, addr: int, argv: List[str]) -> EntryBreakBreakpoint:
+7170 warn("PIC binary detected, retrieving text base address")
+7171 gdb.execute("set stop-on-solib-events 1")
+7172 hide_context()
+7173 gdb.execute(f"run {' '.join(argv)}")
+7174 unhide_context()
+7175 gdb.execute("set stop-on-solib-events 0")
+7176 vmmap = gef.memory.maps
+7177 base_address = [x.page_start for x in vmmap if x.path == get_filepath()][0]
+7178 return self.set_init_tbreak(base_address + addr)
+ + +7181@register
+7182class NamedBreakpointCommand(GenericCommand):
+7183 """Sets a breakpoint and assigns a name to it, which will be shown, when it's hit."""
+ +7185 _cmdline_ = "name-break"
+7186 _syntax_ = f"{_cmdline_} name [address]"
+7187 _aliases_ = ["nb",]
+7188 _example = f"{_cmdline_} main *0x4008a9"
+ +7190 def __init__(self) -> None:
+7191 super().__init__()
+7192 return
+ +7194 @parse_arguments({"name": "", "address": "*$pc"}, {})
+7195 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+7196 args : argparse.Namespace = kwargs["arguments"]
+7197 if not args.name: 7197 ↛ 7198line 7197 didn't jump to line 7198, because the condition on line 7197 was never true
+7198 err("Missing name for breakpoint")
+7199 self.usage()
+7200 return
+ +7202 NamedBreakpoint(args.address, args.name)
+7203 return
+ + +7206@register
+7207class ContextCommand(GenericCommand):
+7208 """Displays a comprehensive and modular summary of runtime context. Unless setting `enable` is
+7209 set to False, this command will be spawned automatically every time GDB hits a breakpoint, a
+7210 watchpoint, or any kind of interrupt. By default, it will show panes that contain the register
+7211 states, the stack, and the disassembly code around $pc."""
+ +7213 _cmdline_ = "context"
+7214 _syntax_ = f"{_cmdline_} [legend|regs|stack|code|args|memory|source|trace|threads|extra]"
+7215 _aliases_ = ["ctx",]
+ +7217 old_registers: Dict[str, Optional[int]] = {}
+ +7219 def __init__(self) -> None:
+7220 super().__init__()
+7221 self["enable"] = (True, "Enable/disable printing the context when breaking")
+7222 self["show_source_code_variable_values"] = (True, "Show extra PC context info in the source code")
+7223 self["show_stack_raw"] = (False, "Show the stack pane as raw hexdump (no dereference)")
+7224 self["show_registers_raw"] = (False, "Show the registers pane with raw values (no dereference)")
+7225 self["show_opcodes_size"] = (0, "Number of bytes of opcodes to display next to the disassembly")
+7226 self["peek_calls"] = (True, "Peek into calls")
+7227 self["peek_ret"] = (True, "Peek at return address")
+7228 self["nb_lines_stack"] = (8, "Number of line in the stack pane")
+7229 self["grow_stack_down"] = (False, "Order of stack downward starts at largest down to stack pointer")
+7230 self["nb_lines_backtrace"] = (10, "Number of line in the backtrace pane")
+7231 self["nb_lines_backtrace_before"] = (2, "Number of line in the backtrace pane before selected frame")
+7232 self["nb_lines_threads"] = (-1, "Number of line in the threads pane")
+7233 self["nb_lines_code"] = (6, "Number of instruction after $pc")
+7234 self["nb_lines_code_prev"] = (3, "Number of instruction before $pc")
+7235 self["ignore_registers"] = ("", "Space-separated list of registers not to display (e.g. '$cs $ds $gs')")
+7236 self["clear_screen"] = (True, "Clear the screen before printing the context")
+7237 self["layout"] = ("legend regs stack code args source memory threads trace extra", "Change the order/presence of the context sections")
+7238 self["redirect"] = ("", "Redirect the context information to another TTY")
+7239 self["libc_args"] = (False, "[DEPRECATED - Unused] Show libc function call args description")
+7240 self["libc_args_path"] = ("", "[DEPRECATED - Unused] Path to libc function call args json files, provided via gef-extras")
+ +7242 self.layout_mapping = {
+7243 "legend": (self.show_legend, None, None),
+7244 "regs": (self.context_regs, None, None),
+7245 "stack": (self.context_stack, None, None),
+7246 "code": (self.context_code, None, None),
+7247 "args": (self.context_args, None, None),
+7248 "memory": (self.context_memory, None, None),
+7249 "source": (self.context_source, None, None),
+7250 "trace": (self.context_trace, None, None),
+7251 "threads": (self.context_threads, None, None),
+7252 "extra": (self.context_additional_information, None, None),
+7253 }
+ +7255 self.instruction_iterator = gef_disassemble
+7256 return
+ +7258 def post_load(self) -> None:
+7259 gef_on_continue_hook(self.update_registers)
+7260 gef_on_continue_hook(self.empty_extra_messages)
+7261 return
+ +7263 def show_legend(self) -> None:
+7264 if gef.config["gef.disable_color"] is True: 7264 ↛ 7265line 7264 didn't jump to line 7265, because the condition on line 7264 was never true
+7265 return
+7266 str_color = gef.config["theme.dereference_string"]
+7267 code_addr_color = gef.config["theme.address_code"]
+7268 stack_addr_color = gef.config["theme.address_stack"]
+7269 heap_addr_color = gef.config["theme.address_heap"]
+7270 changed_register_color = gef.config["theme.registers_value_changed"]
+ +7272 gef_print("[ Legend: {} | {} | {} | {} | {} ]".format(Color.colorify("Modified register", changed_register_color),
+7273 Color.colorify("Code", code_addr_color),
+7274 Color.colorify("Heap", heap_addr_color),
+7275 Color.colorify("Stack", stack_addr_color),
+7276 Color.colorify("String", str_color)))
+7277 return
+ +7279 @only_if_gdb_running
+7280 def do_invoke(self, argv: List[str]) -> None:
+7281 if not self["enable"] or gef.ui.context_hidden:
+7282 return
+ +7284 if not all(_ in self.layout_mapping for _ in argv): 7284 ↛ 7285line 7284 didn't jump to line 7285, because the condition on line 7284 was never true
+7285 self.usage()
+7286 return
+ +7288 if len(argv) > 0: 7288 ↛ 7289line 7288 didn't jump to line 7289, because the condition on line 7288 was never true
+7289 current_layout = argv
+7290 else:
+7291 current_layout = self["layout"].strip().split()
+ +7293 if not current_layout: 7293 ↛ 7294line 7293 didn't jump to line 7294, because the condition on line 7293 was never true
+7294 return
+ +7296 self.tty_rows, self.tty_columns = get_terminal_size()
+ +7298 redirect = self["redirect"]
+7299 if redirect and os.access(redirect, os.W_OK): 7299 ↛ 7300line 7299 didn't jump to line 7300, because the condition on line 7299 was never true
+7300 enable_redirect_output(to_file=redirect)
+ +7302 for section in current_layout:
+7303 if section[0] == "-":
+7304 continue
+ +7306 try:
+7307 display_pane_function, pane_title_function, condition = self.layout_mapping[section]
+7308 if condition: 7308 ↛ 7309line 7308 didn't jump to line 7309, because the condition on line 7308 was never true
+7309 if not condition():
+7310 continue
+7311 if pane_title_function: 7311 ↛ 7312line 7311 didn't jump to line 7312, because the condition on line 7311 was never true
+7312 self.context_title(pane_title_function())
+7313 display_pane_function()
+7314 except gdb.MemoryError as e:
+7315 # a MemoryError will happen when $pc is corrupted (invalid address)
+7316 err(str(e))
+7317 except IndexError:
+7318 # the `section` is not present, just skip
+7319 pass
+ +7321 self.context_title("")
+ +7323 if self["clear_screen"] and len(argv) == 0:
+7324 clear_screen(redirect)
+ +7326 if redirect and os.access(redirect, os.W_OK): 7326 ↛ 7327line 7326 didn't jump to line 7327, because the condition on line 7326 was never true
+7327 disable_redirect_output()
+7328 return
+ +7330 def context_title(self, m: Optional[str]) -> None:
+7331 # allow for not displaying a title line
+7332 if m is None: 7332 ↛ 7333line 7332 didn't jump to line 7333, because the condition on line 7332 was never true
+7333 return
+ +7335 line_color = gef.config["theme.context_title_line"]
+7336 msg_color = gef.config["theme.context_title_message"]
+ +7338 # print an empty line in case of ""
+7339 if not m:
+7340 gef_print(Color.colorify(HORIZONTAL_LINE * self.tty_columns, line_color))
+7341 return
+ +7343 trail_len = len(m) + 6
+7344 title = ""
+7345 title += Color.colorify("{:{padd}<{width}} ".format("",
+7346 width=max(self.tty_columns - trail_len, 0),
+7347 padd=HORIZONTAL_LINE),
+7348 line_color)
+7349 title += Color.colorify(m, msg_color)
+7350 title += Color.colorify(" {:{padd}<4}".format("", padd=HORIZONTAL_LINE),
+7351 line_color)
+7352 gef_print(title)
+7353 return
+ +7355 def context_regs(self) -> None:
+7356 self.context_title("registers")
+7357 ignored_registers = set(self["ignore_registers"].split())
+ +7359 if self["show_registers_raw"] is False: 7359 ↛ 7365line 7359 didn't jump to line 7365, because the condition on line 7359 was never false
+7360 regs = set(gef.arch.all_registers)
+7361 printable_registers = " ".join(regs - ignored_registers)
+7362 gdb.execute(f"registers {printable_registers}")
+7363 return
+ +7365 widest = l = max(map(len, gef.arch.all_registers))
+7366 l += 5
+7367 l += gef.arch.ptrsize * 2
+7368 nb = get_terminal_size()[1] // l
+7369 i = 1
+7370 line = ""
+7371 changed_color = gef.config["theme.registers_value_changed"]
+7372 regname_color = gef.config["theme.registers_register_name"]
+ +7374 for reg in gef.arch.all_registers:
+7375 if reg in ignored_registers:
+7376 continue
+ +7378 try:
+7379 r = gdb.parse_and_eval(reg)
+7380 if r.type.code == gdb.TYPE_CODE_VOID:
+7381 continue
+ +7383 new_value_type_flag = r.type.code == gdb.TYPE_CODE_FLAGS
+7384 new_value = int(r)
+ +7386 except (gdb.MemoryError, gdb.error):
+7387 # If this exception is triggered, it means that the current register
+7388 # is corrupted. Just use the register "raw" value (not eval-ed)
+7389 new_value = gef.arch.register(reg)
+7390 new_value_type_flag = False
+ +7392 except Exception:
+7393 new_value = 0
+7394 new_value_type_flag = False
+ +7396 old_value = self.old_registers.get(reg, 0)
+ +7398 padreg = reg.ljust(widest, " ")
+7399 value = align_address(new_value)
+7400 old_value = align_address(old_value or 0)
+7401 if value == old_value:
+7402 line += f"{Color.colorify(padreg, regname_color)}: "
+7403 else:
+7404 line += f"{Color.colorify(padreg, changed_color)}: "
+7405 if new_value_type_flag:
+7406 line += f"{format_address_spaces(value)} "
+7407 else:
+7408 addr = lookup_address(align_address(int(value)))
+7409 if addr.valid:
+7410 line += f"{addr!s} "
+7411 else:
+7412 line += f"{format_address_spaces(value)} "
+ +7414 if i % nb == 0:
+7415 gef_print(line)
+7416 line = ""
+7417 i += 1
+ +7419 if line:
+7420 gef_print(line)
+ +7422 gef_print(f"Flags: {gef.arch.flag_register_to_human()}")
+7423 return
+ +7425 def context_stack(self) -> None:
+7426 self.context_title("stack")
+ +7428 show_raw = self["show_stack_raw"]
+7429 nb_lines = self["nb_lines_stack"]
+ +7431 try:
+7432 sp = gef.arch.sp
+7433 if show_raw is True: 7433 ↛ 7434line 7433 didn't jump to line 7434, because the condition on line 7433 was never true
+7434 mem = gef.memory.read(sp, 0x10 * nb_lines)
+7435 gef_print(hexdump(mem, base=sp))
+7436 else:
+7437 gdb.execute(f"dereference -l {nb_lines:d} {sp:#x}")
+ +7439 except gdb.MemoryError:
+7440 err("Cannot read memory from $SP (corrupted stack pointer?)")
+ +7442 return
+ +7444 def addr_has_breakpoint(self, address: int, bp_locations: List[str]) -> bool:
+7445 return any(hex(address) in b for b in bp_locations)
+ +7447 def context_code(self) -> None:
+7448 nb_insn = self["nb_lines_code"]
+7449 nb_insn_prev = self["nb_lines_code_prev"]
+7450 show_opcodes_size = "show_opcodes_size" in self and self["show_opcodes_size"]
+7451 past_insns_color = gef.config["theme.old_context"]
+7452 cur_insn_color = gef.config["theme.disassemble_current_instruction"]
+7453 pc = gef.arch.pc
+7454 breakpoints = gdb.breakpoints() or []
+7455 bp_locations = [b.location for b in breakpoints if b.location and b.location.startswith("*")]
+ +7457 frame = gdb.selected_frame()
+7458 arch_name = f"{gef.arch.arch.lower()}:{gef.arch.mode}"
+ +7460 self.context_title(f"code:{arch_name}")
+ +7462 try:
+ + +7465 for insn in self.instruction_iterator(pc, nb_insn, nb_prev=nb_insn_prev):
+7466 line = []
+7467 is_taken = False
+7468 target = None
+7469 bp_prefix = Color.redify(BP_GLYPH) if self.addr_has_breakpoint(insn.address, bp_locations) else " "
+ +7471 if show_opcodes_size == 0:
+7472 text = str(insn)
+7473 else:
+7474 insn_fmt = f"{{:{show_opcodes_size}o}}"
+7475 text = insn_fmt.format(insn)
+ +7477 if insn.address < pc:
+7478 line += f"{bp_prefix} {Color.colorify(text, past_insns_color)}"
+ +7480 elif insn.address == pc:
+7481 line += f"{bp_prefix}{Color.colorify(f'{RIGHT_ARROW[1:]}{text}', cur_insn_color)}"
+ +7483 if gef.arch.is_conditional_branch(insn): 7483 ↛ 7484line 7483 didn't jump to line 7484, because the condition on line 7483 was never true
+7484 is_taken, reason = gef.arch.is_branch_taken(insn)
+7485 if is_taken:
+7486 target = insn.operands[-1].split()[0]
+7487 reason = f"[Reason: {reason}]" if reason else ""
+7488 line += Color.colorify(f"\tTAKEN {reason}", "bold green")
+7489 else:
+7490 reason = f"[Reason: !({reason})]" if reason else ""
+7491 line += Color.colorify(f"\tNOT taken {reason}", "bold red")
+7492 elif gef.arch.is_call(insn) and self["peek_calls"] is True: 7492 ↛ 7493line 7492 didn't jump to line 7493, because the condition on line 7492 was never true
+7493 target = insn.operands[-1].split()[0]
+7494 elif gef.arch.is_ret(insn) and self["peek_ret"] is True:
+7495 target = gef.arch.get_ra(insn, frame)
+ +7497 else:
+7498 line += f"{bp_prefix} {text}"
+ +7500 gef_print("".join(line))
+ +7502 if target:
+7503 try:
+7504 address = int(target, 0) if isinstance(target, str) else target
+7505 except ValueError:
+7506 # If the operand isn't an address right now we can't parse it
+7507 continue
+7508 for i, tinsn in enumerate(self.instruction_iterator(address, nb_insn)): 7508 ↛ 7509, 7508 ↛ 75112 missed branches: 1) line 7508 didn't jump to line 7509, because the loop on line 7508 never started, 2) line 7508 didn't jump to line 7511, because the loop on line 7508 didn't complete
+7509 text= f" {DOWN_ARROW if i == 0 else ' '} {tinsn!s}"
+7510 gef_print(text)
+7511 break
+ +7513 except gdb.MemoryError:
+7514 err("Cannot disassemble from $PC")
+7515 return
+ +7517 def context_args(self) -> None:
+7518 insn = gef_current_instruction(gef.arch.pc)
+7519 if not gef.arch.is_call(insn): 7519 ↛ 7522line 7519 didn't jump to line 7522
+7520 return
+ +7522 self.size2type = {
+7523 1: "BYTE",
+7524 2: "WORD",
+7525 4: "DWORD",
+7526 8: "QWORD",
+7527 }
+ +7529 if insn.operands[-1].startswith(self.size2type[gef.arch.ptrsize]+" PTR"):
+7530 target = "*" + insn.operands[-1].split()[-1]
+7531 elif "$"+insn.operands[0] in gef.arch.all_registers:
+7532 target = f"*{gef.arch.register('$' + insn.operands[0]):#x}"
+7533 else:
+7534 # is there a symbol?
+7535 ops = " ".join(insn.operands)
+7536 if "<" in ops and ">" in ops:
+7537 # extract it
+7538 target = re.sub(r".*<([^\(> ]*).*", r"\1", ops)
+7539 else:
+7540 # it's an address, just use as is
+7541 target = re.sub(r".*(0x[a-fA-F0-9]*).*", r"\1", ops)
+ +7543 sym = gdb.lookup_global_symbol(target)
+7544 if sym is None:
+7545 self.print_guessed_arguments(target)
+7546 return
+ +7548 if sym.type.code != gdb.TYPE_CODE_FUNC:
+7549 err(f"Symbol '{target}' is not a function: type={sym.type.code}")
+7550 return
+ +7552 self.print_arguments_from_symbol(target, sym)
+7553 return
+ +7555 def print_arguments_from_symbol(self, function_name: str, symbol: "gdb.Symbol") -> None:
+7556 """If symbols were found, parse them and print the argument adequately."""
+7557 args = []
+ +7559 for i, f in enumerate(symbol.type.fields()):
+7560 _value = gef.arch.get_ith_parameter(i, in_func=False)[1]
+7561 _value = RIGHT_ARROW.join(dereference_from(_value))
+7562 _name = f.name or f"var_{i}"
+7563 _type = f.type.name or self.size2type[f.type.sizeof]
+7564 args.append(f"{_type} {_name} = {_value}")
+ +7566 self.context_title("arguments")
+ +7568 if not args:
+7569 gef_print(f"{function_name} (<void>)")
+7570 return
+ +7572 gef_print(f"{function_name} (\n "+",\n ".join(args)+"\n)")
+7573 return
+ +7575 def print_guessed_arguments(self, function_name: str) -> None:
+7576 """When no symbol, read the current basic block and look for "interesting" instructions."""
+ +7578 def __get_current_block_start_address() -> Optional[int]:
+7579 pc = gef.arch.pc
+7580 try:
+7581 block = gdb.block_for_pc(pc)
+7582 block_start = block.start if block else gdb_get_nth_previous_instruction_address(pc, 5)
+7583 except RuntimeError:
+7584 block_start = gdb_get_nth_previous_instruction_address(pc, 5)
+7585 return block_start
+ +7587 parameter_set = set()
+7588 pc = gef.arch.pc
+7589 block_start = __get_current_block_start_address()
+7590 if not block_start:
+7591 return
+ +7593 function_parameters = gef.arch.function_parameters
+7594 arg_key_color = gef.config["theme.registers_register_name"]
+ +7596 for insn in self.instruction_iterator(block_start, pc - block_start):
+7597 if not insn.operands:
+7598 continue
+ +7600 if is_x86_32():
+7601 if insn.mnemonic == "push":
+7602 parameter_set.add(insn.operands[0])
+7603 else:
+7604 op = "$" + insn.operands[0]
+7605 if op in function_parameters:
+7606 parameter_set.add(op)
+ +7608 if is_x86_64():
+7609 # also consider extended registers
+7610 extended_registers = {"$rdi": ["$edi", "$di"],
+7611 "$rsi": ["$esi", "$si"],
+7612 "$rdx": ["$edx", "$dx"],
+7613 "$rcx": ["$ecx", "$cx"],
+7614 }
+7615 for exreg in extended_registers:
+7616 if op in extended_registers[exreg]:
+7617 parameter_set.add(exreg)
+ +7619 if is_x86_32():
+7620 nb_argument = len(parameter_set)
+7621 else:
+7622 nb_argument = max([function_parameters.index(p)+1 for p in parameter_set], default=0)
+ +7624 args = []
+7625 for i in range(nb_argument):
+7626 _key, _values = gef.arch.get_ith_parameter(i, in_func=False)
+7627 _values = RIGHT_ARROW.join(dereference_from(_values))
+7628 args.append(f"{Color.colorify(_key, arg_key_color)} = {_values}")
+ +7630 self.context_title("arguments (guessed)")
+7631 gef_print(f"{function_name} (")
+7632 if args:
+7633 gef_print(" " + ",\n ".join(args))
+7634 gef_print(")")
+7635 return
+ +7637 def line_has_breakpoint(self, file_name: str, line_number: int, bp_locations: List[str]) -> bool:
+7638 filename_line = f"{file_name}:{line_number}"
+7639 return any(filename_line in loc for loc in bp_locations)
+ +7641 def context_source(self) -> None:
+7642 try:
+7643 pc = gef.arch.pc
+7644 symtabline = gdb.find_pc_line(pc)
+7645 symtab = symtabline.symtab
+7646 # we subtract one because the line number returned by gdb start at 1
+7647 line_num = symtabline.line - 1
+7648 if not symtab.is_valid(): 7648 ↛ 7649line 7648 didn't jump to line 7649, because the condition on line 7648 was never true
+7649 return
+ +7651 fpath = symtab.fullname()
+7652 with open(fpath, "r") as f:
+7653 lines = [l.rstrip() for l in f.readlines()]
+ +7655 except Exception:
+7656 return
+ +7658 file_base_name = os.path.basename(symtab.filename)
+7659 breakpoints = gdb.breakpoints() or []
+7660 bp_locations = [b.location for b in breakpoints if b.location and file_base_name in b.location]
+7661 past_lines_color = gef.config["theme.old_context"]
+ +7663 nb_line = self["nb_lines_code"]
+7664 fn = symtab.filename
+7665 if len(fn) > 20:
+7666 fn = f"{fn[:15]}[...]{os.path.splitext(fn)[1]}"
+7667 title = f"source:{fn}+{line_num + 1}"
+7668 cur_line_color = gef.config["theme.source_current_line"]
+7669 self.context_title(title)
+7670 show_extra_info = self["show_source_code_variable_values"]
+ +7672 for i in range(line_num - nb_line + 1, line_num + nb_line):
+7673 if i < 0: 7673 ↛ 7674line 7673 didn't jump to line 7674, because the condition on line 7673 was never true
+7674 continue
+ +7676 bp_prefix = Color.redify(BP_GLYPH) if self.line_has_breakpoint(file_base_name, i + 1, bp_locations) else " "
+ +7678 if i < line_num:
+7679 gef_print("{}{}".format(bp_prefix, Color.colorify(f" {i + 1:4d}\t {lines[i]}", past_lines_color)))
+ +7681 if i == line_num:
+7682 prefix = f"{bp_prefix}{RIGHT_ARROW[1:]}{i + 1:4d}\t "
+7683 leading = len(lines[i]) - len(lines[i].lstrip())
+7684 if show_extra_info: 7684 ↛ 7688line 7684 didn't jump to line 7688, because the condition on line 7684 was never false
+7685 extra_info = self.get_pc_context_info(pc, lines[i])
+7686 if extra_info:
+7687 gef_print(f"{' ' * (len(prefix) + leading)}{extra_info}")
+7688 gef_print(Color.colorify(f"{prefix}{lines[i]}", cur_line_color))
+ +7690 if i > line_num:
+7691 try:
+7692 gef_print(f"{bp_prefix} {i + 1:4d}\t {lines[i]}")
+7693 except IndexError:
+7694 break
+7695 return
+ +7697 def get_pc_context_info(self, pc: int, line: str) -> str:
+7698 try:
+7699 current_block = gdb.block_for_pc(pc)
+7700 if not current_block or not current_block.is_valid(): return "" 7700 ↛ exitline 7700 didn't return from function 'get_pc_context_info', because the return on line 7700 wasn't executed
+7701 m = collections.OrderedDict()
+7702 while current_block and not current_block.is_static:
+7703 for sym in current_block:
+7704 symbol = sym.name
+7705 if not sym.is_function and re.search(fr"\W{symbol}\W", line):
+7706 val = gdb.parse_and_eval(symbol)
+7707 if val.type.code in (gdb.TYPE_CODE_PTR, gdb.TYPE_CODE_ARRAY): 7707 ↛ 7708line 7707 didn't jump to line 7708, because the condition on line 7707 was never true
+7708 addr = int(val.address)
+7709 addrs = dereference_from(addr)
+7710 if len(addrs) > 2:
+7711 addrs = [addrs[0], "[...]", addrs[-1]]
+ +7713 f = f" {RIGHT_ARROW} "
+7714 val = f.join(addrs)
+7715 elif val.type.code == gdb.TYPE_CODE_INT: 7715 ↛ 7718line 7715 didn't jump to line 7718, because the condition on line 7715 was never false
+7716 val = hex(int(val))
+7717 else:
+7718 continue
+ +7720 if symbol not in m: 7720 ↛ 7703line 7720 didn't jump to line 7703, because the condition on line 7720 was never false
+7721 m[symbol] = val
+7722 current_block = current_block.superblock
+ +7724 if m:
+7725 return "// " + ", ".join([f"{Color.yellowify(a)}={b}" for a, b in m.items()])
+7726 except Exception:
+7727 pass
+7728 return ""
+ +7730 def context_trace(self) -> None:
+7731 self.context_title("trace")
+ +7733 nb_backtrace = self["nb_lines_backtrace"]
+7734 if nb_backtrace <= 0: 7734 ↛ 7735line 7734 didn't jump to line 7735, because the condition on line 7734 was never true
+7735 return
+ +7737 # backward compat for gdb (gdb < 7.10)
+7738 if not hasattr(gdb, "FrameDecorator"): 7738 ↛ 7739line 7738 didn't jump to line 7739, because the condition on line 7738 was never true
+7739 gdb.execute(f"backtrace {nb_backtrace:d}")
+7740 return
+ +7742 orig_frame = gdb.selected_frame()
+7743 current_frame = gdb.newest_frame()
+7744 frames = [current_frame]
+7745 while current_frame != orig_frame: 7745 ↛ 7746line 7745 didn't jump to line 7746, because the condition on line 7745 was never true
+7746 current_frame = current_frame.older()
+7747 frames.append(current_frame)
+ +7749 nb_backtrace_before = self["nb_lines_backtrace_before"]
+7750 level = max(len(frames) - nb_backtrace_before - 1, 0)
+7751 current_frame = frames[level]
+ +7753 while current_frame:
+7754 current_frame.select()
+7755 if not current_frame.is_valid(): 7755 ↛ 7756line 7755 didn't jump to line 7756, because the condition on line 7755 was never true
+7756 continue
+ +7758 pc = current_frame.pc()
+7759 name = current_frame.name()
+7760 items = []
+7761 items.append(f"{pc:#x}")
+7762 if name:
+7763 frame_args = gdb.FrameDecorator.FrameDecorator(current_frame).frame_args() or []
+7764 m = "{}({})".format(Color.greenify(name),
+7765 ", ".join(["{}={!s}".format(Color.yellowify(x.sym),
+7766 x.sym.value(current_frame)) for x in frame_args]))
+7767 items.append(m)
+7768 else:
+7769 try:
+7770 insn = next(gef_disassemble(pc, 1))
+7771 except gdb.MemoryError:
+7772 break
+ +7774 # check if the gdb symbol table may know the address
+7775 sym_found = gdb_get_location_from_symbol(pc)
+7776 symbol = ""
+7777 if sym_found: 7777 ↛ 7778line 7777 didn't jump to line 7778, because the condition on line 7777 was never true
+7778 sym_name, offset = sym_found
+7779 symbol = f" <{sym_name}+{offset:x}> "
+ +7781 items.append(Color.redify(f"{symbol}{insn.mnemonic} {', '.join(insn.operands)}"))
+ +7783 gef_print("[{}] {}".format(Color.colorify(f"#{level}", "bold green" if current_frame == orig_frame else "bold pink"),
+7784 RIGHT_ARROW.join(items)))
+7785 current_frame = current_frame.older()
+7786 level += 1
+7787 nb_backtrace -= 1
+7788 if nb_backtrace == 0: 7788 ↛ 7789line 7788 didn't jump to line 7789, because the condition on line 7788 was never true
+7789 break
+ +7791 orig_frame.select()
+7792 return
+ +7794 def context_threads(self) -> None:
+7795 def reason() -> str:
+7796 res = gdb.execute("info program", to_string=True)
+7797 if not res: 7797 ↛ 7798line 7797 didn't jump to line 7798, because the condition on line 7797 was never true
+7798 return "NOT RUNNING"
+ +7800 for line in res.splitlines(): 7800 ↛ 7813line 7800 didn't jump to line 7813, because the loop on line 7800 didn't complete
+7801 line = line.strip()
+7802 if line.startswith("It stopped with signal "):
+7803 return line.replace("It stopped with signal ", "").split(",", 1)[0]
+7804 if line == "The program being debugged is not being run.": 7804 ↛ 7805line 7804 didn't jump to line 7805, because the condition on line 7804 was never true
+7805 return "NOT RUNNING"
+7806 if line == "It stopped at a breakpoint that has since been deleted.": 7806 ↛ 7807line 7806 didn't jump to line 7807, because the condition on line 7806 was never true
+7807 return "TEMPORARY BREAKPOINT"
+7808 if line.startswith("It stopped at breakpoint "):
+7809 return "BREAKPOINT"
+7810 if line == "It stopped after being stepped.": 7810 ↛ 7811line 7810 didn't jump to line 7811, because the condition on line 7810 was never true
+7811 return "SINGLE STEP"
+ +7813 return "STOPPED"
+ +7815 self.context_title("threads")
+ +7817 threads = gdb.selected_inferior().threads()[::-1]
+7818 idx = self["nb_lines_threads"]
+7819 if idx > 0: 7819 ↛ 7820line 7819 didn't jump to line 7820, because the condition on line 7819 was never true
+7820 threads = threads[0:idx]
+ +7822 if idx == 0: 7822 ↛ 7823line 7822 didn't jump to line 7823, because the condition on line 7822 was never true
+7823 return
+ +7825 if not threads: 7825 ↛ 7826line 7825 didn't jump to line 7826, because the condition on line 7825 was never true
+7826 err("No thread selected")
+7827 return
+ +7829 selected_thread = gdb.selected_thread()
+7830 selected_frame = gdb.selected_frame()
+ +7832 for i, thread in enumerate(threads):
+7833 line = f"[{Color.colorify(f'#{i:d}', 'bold green' if thread == selected_thread else 'bold pink')}] Id {thread.num:d}, "
+7834 if thread.name:
+7835 line += f"""Name: "{thread.name}", """
+7836 if thread.is_running(): 7836 ↛ 7837line 7836 didn't jump to line 7837, because the condition on line 7836 was never true
+7837 line += Color.colorify("running", "bold green")
+7838 elif thread.is_stopped(): 7838 ↛ 7854line 7838 didn't jump to line 7854, because the condition on line 7838 was never false
+7839 line += Color.colorify("stopped", "bold red")
+7840 thread.switch()
+7841 frame = gdb.selected_frame()
+7842 frame_name = frame.name()
+ +7844 # check if the gdb symbol table may know the address
+7845 if not frame_name:
+7846 sym_found = gdb_get_location_from_symbol(frame.pc())
+7847 if sym_found: 7847 ↛ 7848line 7847 didn't jump to line 7848, because the condition on line 7847 was never true
+7848 sym_name, offset = sym_found
+7849 frame_name = f"<{sym_name}+{offset:x}>"
+ +7851 line += (f" {Color.colorify(f'{frame.pc():#x}', 'blue')} in "
+7852 f"{Color.colorify(frame_name or '??', 'bold yellow')} (), "
+7853 f"reason: {Color.colorify(reason(), 'bold pink')}")
+7854 elif thread.is_exited():
+7855 line += Color.colorify("exited", "bold yellow")
+7856 gef_print(line)
+7857 i += 1
+ +7859 selected_thread.switch()
+7860 selected_frame.select()
+7861 return
+ +7863 def context_additional_information(self) -> None:
+7864 if not gef.ui.context_messages:
+7865 return
+ +7867 self.context_title("extra")
+7868 for level, text in gef.ui.context_messages:
+7869 if level == "error": err(text) 7869 ↛ 7868line 7869 didn't jump to line 7868
+7870 elif level == "warn": warn(text) 7870 ↛ 7871line 7870 didn't jump to line 7871, because the condition on line 7870 was never false
+7871 elif level == "success": ok(text)
+7872 else: info(text)
+7873 return
+ +7875 def context_memory(self) -> None:
+7876 for address, opt in sorted(gef.ui.watches.items()):
+7877 sz, fmt = opt[0:2]
+7878 self.context_title(f"memory:{address:#x}")
+7879 if fmt == "pointers": 7879 ↛ 7880line 7879 didn't jump to line 7880, because the condition on line 7879 was never true
+7880 gdb.execute(f"dereference -l {sz:d} {address:#x}")
+7881 else:
+7882 gdb.execute(f"hexdump {fmt} -s {sz:d} {address:#x}")
+ +7884 @classmethod
+7885 def update_registers(cls, _) -> None:
+7886 for reg in gef.arch.all_registers:
+7887 try:
+7888 cls.old_registers[reg] = gef.arch.register(reg)
+7889 except Exception:
+7890 cls.old_registers[reg] = 0
+7891 return
+ +7893 def empty_extra_messages(self, _) -> None:
+7894 gef.ui.context_messages.clear()
+7895 return
+ + +7898@register
+7899class MemoryCommand(GenericCommand):
+7900 """Add or remove address ranges to the memory view."""
+7901 _cmdline_ = "memory"
+7902 _syntax_ = f"{_cmdline_} (watch|unwatch|reset|list)"
+ +7904 def __init__(self) -> None:
+7905 super().__init__(prefix=True)
+7906 return
+ +7908 @only_if_gdb_running
+7909 def do_invoke(self, argv: List[str]) -> None:
+7910 self.usage()
+7911 return
+ + +7914@register
+7915class MemoryWatchCommand(GenericCommand):
+7916 """Adds address ranges to the memory view."""
+7917 _cmdline_ = "memory watch"
+7918 _syntax_ = f"{_cmdline_} ADDRESS [SIZE] [(qword|dword|word|byte|pointers)]"
+7919 _example_ = (f"\n{_cmdline_} 0x603000 0x100 byte"
+7920 f"\n{_cmdline_} $sp")
+ +7922 def __init__(self) -> None:
+7923 super().__init__(complete=gdb.COMPLETE_LOCATION)
+7924 return
+ +7926 @only_if_gdb_running
+7927 def do_invoke(self, argv: List[str]) -> None:
+7928 if len(argv) not in (1, 2, 3): 7928 ↛ 7929line 7928 didn't jump to line 7929, because the condition on line 7928 was never true
+7929 self.usage()
+7930 return
+ +7932 address = parse_address(argv[0])
+7933 size = parse_address(argv[1]) if len(argv) > 1 else 0x10
+7934 group = "byte"
+ +7936 if len(argv) == 3:
+7937 group = argv[2].lower()
+7938 if group not in ("qword", "dword", "word", "byte", "pointers"): 7938 ↛ 7939line 7938 didn't jump to line 7939, because the condition on line 7938 was never true
+7939 warn(f"Unexpected grouping '{group}'")
+7940 self.usage()
+7941 return
+7942 else:
+7943 if gef.arch.ptrsize == 4: 7943 ↛ 7944line 7943 didn't jump to line 7944, because the condition on line 7943 was never true
+7944 group = "dword"
+7945 elif gef.arch.ptrsize == 8: 7945 ↛ 7948line 7945 didn't jump to line 7948, because the condition on line 7945 was never false
+7946 group = "qword"
+ +7948 gef.ui.watches[address] = (size, group)
+7949 ok(f"Adding memwatch to {address:#x}")
+7950 return
+ + +7953@register
+7954class MemoryUnwatchCommand(GenericCommand):
+7955 """Removes address ranges to the memory view."""
+7956 _cmdline_ = "memory unwatch"
+7957 _syntax_ = f"{_cmdline_} ADDRESS"
+7958 _example_ = (f"\n{_cmdline_} 0x603000"
+7959 f"\n{_cmdline_} $sp")
+ +7961 def __init__(self) -> None:
+7962 super().__init__(complete=gdb.COMPLETE_LOCATION)
+7963 return
+ +7965 @only_if_gdb_running
+7966 def do_invoke(self, argv: List[str]) -> None:
+7967 if not argv: 7967 ↛ 7968line 7967 didn't jump to line 7968, because the condition on line 7967 was never true
+7968 self.usage()
+7969 return
+ +7971 address = parse_address(argv[0])
+7972 res = gef.ui.watches.pop(address, None)
+7973 if not res: 7973 ↛ 7976line 7973 didn't jump to line 7976, because the condition on line 7973 was never false
+7974 warn(f"You weren't watching {address:#x}")
+7975 else:
+7976 ok(f"Removed memwatch of {address:#x}")
+7977 return
+ + +7980@register
+7981class MemoryWatchResetCommand(GenericCommand):
+7982 """Removes all watchpoints."""
+7983 _cmdline_ = "memory reset"
+7984 _syntax_ = f"{_cmdline_}"
+ +7986 @only_if_gdb_running
+7987 def do_invoke(self, _: List[str]) -> None:
+7988 gef.ui.watches.clear()
+7989 ok("Memory watches cleared")
+7990 return
+ + +7993@register
+7994class MemoryWatchListCommand(GenericCommand):
+7995 """Lists all watchpoints to display in context layout."""
+7996 _cmdline_ = "memory list"
+7997 _syntax_ = f"{_cmdline_}"
+ +7999 @only_if_gdb_running
+8000 def do_invoke(self, _: List[str]) -> None:
+8001 if not gef.ui.watches: 8001 ↛ 8005line 8001 didn't jump to line 8005, because the condition on line 8001 was never false
+8002 info("No memory watches")
+8003 return
+ +8005 info("Memory watches:")
+8006 for address, opt in sorted(gef.ui.watches.items()):
+8007 gef_print(f"- {address:#x} ({opt[0]}, {opt[1]})")
+8008 return
+ + +8011@register
+8012class HexdumpCommand(GenericCommand):
+8013 """Display SIZE lines of hexdump from the memory location pointed by LOCATION."""
+ +8015 _cmdline_ = "hexdump"
+8016 _syntax_ = f"{_cmdline_} (qword|dword|word|byte) [LOCATION] [--size SIZE] [--reverse]"
+8017 _example_ = f"{_cmdline_} byte $rsp --size 16 --reverse"
+ +8019 def __init__(self) -> None:
+8020 super().__init__(complete=gdb.COMPLETE_LOCATION, prefix=True)
+8021 self["always_show_ascii"] = (False, "If true, hexdump will always display the ASCII dump")
+8022 self.format: Optional[str] = None
+8023 self.__last_target = "$sp"
+8024 return
+ +8026 @only_if_gdb_running
+8027 @parse_arguments({"address": "",}, {("--reverse", "-r"): True, ("--size", "-s"): 0})
+8028 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+8029 valid_formats = ["byte", "word", "dword", "qword"]
+8030 if not self.format or self.format not in valid_formats: 8030 ↛ 8031line 8030 didn't jump to line 8031, because the condition on line 8030 was never true
+8031 err("Invalid command")
+8032 return
+ +8034 args : argparse.Namespace = kwargs["arguments"]
+8035 target = args.address or self.__last_target
+8036 start_addr = parse_address(target)
+8037 read_from = align_address(start_addr)
+ +8039 if self.format == "byte":
+8040 read_len = args.size or 0x40
+8041 read_from += self.repeat_count * read_len
+8042 mem = gef.memory.read(read_from, read_len)
+8043 lines = hexdump(mem, base=read_from).splitlines()
+8044 else:
+8045 read_len = args.size or 0x10
+8046 lines = self._hexdump(read_from, read_len, self.format, self.repeat_count * read_len)
+ +8048 if args.reverse:
+8049 lines.reverse()
+ +8051 self.__last_target = target
+8052 gef_print("\n".join(lines))
+8053 return
+ +8055 def _hexdump(self, start_addr: int, length: int, arrange_as: str, offset: int = 0) -> List[str]:
+8056 endianness = gef.arch.endianness
+ +8058 base_address_color = gef.config["theme.dereference_base_address"]
+8059 show_ascii = gef.config["hexdump.always_show_ascii"]
+ +8061 formats = {
+8062 "qword": ("Q", 8),
+8063 "dword": ("I", 4),
+8064 "word": ("H", 2),
+8065 }
+ +8067 r, l = formats[arrange_as]
+8068 fmt_str = f"{{base}}{VERTICAL_LINE}+{{offset:#06x}} {{sym}}{{val:#0{l*2+2}x}} {{text}}"
+8069 fmt_pack = f"{endianness!s}{r}"
+8070 lines = []
+ +8072 i = 0
+8073 text = ""
+8074 while i < length:
+8075 cur_addr = start_addr + (i + offset) * l
+8076 sym = gdb_get_location_from_symbol(cur_addr)
+8077 sym = "<{:s}+{:04x}> ".format(*sym) if sym else ""
+8078 mem = gef.memory.read(cur_addr, l)
+8079 val = struct.unpack(fmt_pack, mem)[0]
+8080 if show_ascii: 8080 ↛ 8081line 8080 didn't jump to line 8081, because the condition on line 8080 was never true
+8081 text = "".join([chr(b) if 0x20 <= b < 0x7F else "." for b in mem])
+8082 lines.append(fmt_str.format(base=Color.colorify(format_address(cur_addr), base_address_color),
+8083 offset=(i + offset) * l, sym=sym, val=val, text=text))
+8084 i += 1
+ +8086 return lines
+ + +8089@register
+8090class HexdumpQwordCommand(HexdumpCommand):
+8091 """Display SIZE lines of hexdump as QWORD from the memory location pointed by ADDRESS."""
+ +8093 _cmdline_ = "hexdump qword"
+8094 _syntax_ = f"{_cmdline_} [ADDRESS] [[L][SIZE]] [REVERSE]"
+8095 _example_ = f"{_cmdline_} qword $rsp L16 REVERSE"
+ +8097 def __init__(self) -> None:
+8098 super().__init__()
+8099 self.format = "qword"
+8100 return
+ + +8103@register
+8104class HexdumpDwordCommand(HexdumpCommand):
+8105 """Display SIZE lines of hexdump as DWORD from the memory location pointed by ADDRESS."""
+ +8107 _cmdline_ = "hexdump dword"
+8108 _syntax_ = f"{_cmdline_} [ADDRESS] [[L][SIZE]] [REVERSE]"
+8109 _example_ = f"{_cmdline_} $esp L16 REVERSE"
+ +8111 def __init__(self) -> None:
+8112 super().__init__()
+8113 self.format = "dword"
+8114 return
+ + +8117@register
+8118class HexdumpWordCommand(HexdumpCommand):
+8119 """Display SIZE lines of hexdump as WORD from the memory location pointed by ADDRESS."""
+ +8121 _cmdline_ = "hexdump word"
+8122 _syntax_ = f"{_cmdline_} [ADDRESS] [[L][SIZE]] [REVERSE]"
+8123 _example_ = f"{_cmdline_} $esp L16 REVERSE"
+ +8125 def __init__(self) -> None:
+8126 super().__init__()
+8127 self.format = "word"
+8128 return
+ + +8131@register
+8132class HexdumpByteCommand(HexdumpCommand):
+8133 """Display SIZE lines of hexdump as BYTE from the memory location pointed by ADDRESS."""
+ +8135 _cmdline_ = "hexdump byte"
+8136 _syntax_ = f"{_cmdline_} [ADDRESS] [[L][SIZE]] [REVERSE]"
+8137 _example_ = f"{_cmdline_} $rsp L16"
+ +8139 def __init__(self) -> None:
+8140 super().__init__()
+8141 self.format = "byte"
+8142 return
+ + +8145@register
+8146class PatchCommand(GenericCommand):
+8147 """Write specified values to the specified address."""
+ +8149 _cmdline_ = "patch"
+8150 _syntax_ = (f"{_cmdline_} (qword|dword|word|byte) LOCATION VALUES\n"
+8151 f"{_cmdline_} string LOCATION \"double-escaped string\"")
+8152 SUPPORTED_SIZES = {
+8153 "qword": (8, "Q"),
+8154 "dword": (4, "L"),
+8155 "word": (2, "H"),
+8156 "byte": (1, "B"),
+8157 }
+ +8159 def __init__(self) -> None:
+8160 super().__init__(prefix=True, complete=gdb.COMPLETE_LOCATION)
+8161 self.format: Optional[str] = None
+8162 return
+ +8164 @only_if_gdb_running
+8165 @parse_arguments({"location": "", "values": ["", ]}, {})
+8166 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+8167 args : argparse.Namespace = kwargs["arguments"]
+8168 if not self.format or self.format not in self.SUPPORTED_SIZES: 8168 ↛ 8169line 8168 didn't jump to line 8169, because the condition on line 8168 was never true
+8169 self.usage()
+8170 return
+ +8172 if not args.location or not args.values: 8172 ↛ 8173line 8172 didn't jump to line 8173, because the condition on line 8172 was never true
+8173 self.usage()
+8174 return
+ +8176 addr = align_address(parse_address(args.location))
+8177 size, fcode = self.SUPPORTED_SIZES[self.format]
+8178 values = args.values
+ +8180 if size == 1:
+8181 if values[0].startswith("$_gef"):
+8182 var_name = values[0]
+8183 try:
+8184 values = str(gdb.parse_and_eval(var_name)).lstrip("{").rstrip("}").replace(",","").split(" ")
+8185 except:
+8186 gef_print(f"Bad variable specified, check value with command: p {var_name}")
+8187 return
+ +8189 d = str(gef.arch.endianness)
+8190 for value in values:
+8191 value = parse_address(value) & ((1 << size * 8) - 1)
+8192 vstr = struct.pack(d + fcode, value)
+8193 gef.memory.write(addr, vstr, length=size)
+8194 addr += size
+8195 return
+ + +8198@register
+8199class PatchQwordCommand(PatchCommand):
+8200 """Write specified QWORD to the specified address."""
+ +8202 _cmdline_ = "patch qword"
+8203 _syntax_ = f"{_cmdline_} LOCATION QWORD1 [QWORD2 [QWORD3..]]"
+8204 _example_ = f"{_cmdline_} $rip 0x4141414141414141"
+ +8206 def __init__(self) -> None:
+8207 super().__init__()
+8208 self.format = "qword"
+8209 return
+ + +8212@register
+8213class PatchDwordCommand(PatchCommand):
+8214 """Write specified DWORD to the specified address."""
+ +8216 _cmdline_ = "patch dword"
+8217 _syntax_ = f"{_cmdline_} LOCATION DWORD1 [DWORD2 [DWORD3..]]"
+8218 _example_ = f"{_cmdline_} $rip 0x41414141"
+ +8220 def __init__(self) -> None:
+8221 super().__init__()
+8222 self.format = "dword"
+8223 return
+ + +8226@register
+8227class PatchWordCommand(PatchCommand):
+8228 """Write specified WORD to the specified address."""
+ +8230 _cmdline_ = "patch word"
+8231 _syntax_ = f"{_cmdline_} LOCATION WORD1 [WORD2 [WORD3..]]"
+8232 _example_ = f"{_cmdline_} $rip 0x4141"
+ +8234 def __init__(self) -> None:
+8235 super().__init__()
+8236 self.format = "word"
+8237 return
+ + +8240@register
+8241class PatchByteCommand(PatchCommand):
+8242 """Write specified BYTE to the specified address."""
+ +8244 _cmdline_ = "patch byte"
+8245 _syntax_ = f"{_cmdline_} LOCATION BYTE1 [BYTE2 [BYTE3..]]"
+8246 _example_ = f"{_cmdline_} $pc 0x41 0x41 0x41 0x41 0x41"
+ +8248 def __init__(self) -> None:
+8249 super().__init__()
+8250 self.format = "byte"
+8251 return
+ + +8254@register
+8255class PatchStringCommand(GenericCommand):
+8256 """Write specified string to the specified memory location pointed by ADDRESS."""
+ +8258 _cmdline_ = "patch string"
+8259 _syntax_ = f"{_cmdline_} ADDRESS \"double backslash-escaped string\""
+8260 _example_ = f"{_cmdline_} $sp \"GEFROCKS\""
+ +8262 @only_if_gdb_running
+8263 def do_invoke(self, argv: List[str]) -> None:
+8264 argc = len(argv)
+8265 if argc != 2: 8265 ↛ 8266line 8265 didn't jump to line 8266, because the condition on line 8265 was never true
+8266 self.usage()
+8267 return
+ +8269 location, s = argv[0:2]
+8270 addr = align_address(parse_address(location))
+ +8272 try:
+8273 s = codecs.escape_decode(s)[0]
+8274 except binascii.Error:
+8275 gef_print(f"Could not decode '\\xXX' encoded string \"{s}\"")
+8276 return
+ +8278 gef.memory.write(addr, s, len(s))
+8279 return
+ + +8282@lru_cache()
+8283def dereference_from(address: int) -> List[str]:
+8284 if not is_alive(): 8284 ↛ 8285line 8284 didn't jump to line 8285, because the condition on line 8284 was never true
+8285 return [format_address(address),]
+ +8287 code_color = gef.config["theme.dereference_code"]
+8288 string_color = gef.config["theme.dereference_string"]
+8289 max_recursion = gef.config["dereference.max_recursion"] or 10
+8290 addr = lookup_address(align_address(address))
+8291 msg = [format_address(addr.value),]
+8292 seen_addrs = set()
+ +8294 while addr.section and max_recursion:
+8295 if addr.value in seen_addrs:
+8296 msg.append("[loop detected]")
+8297 break
+8298 seen_addrs.add(addr.value)
+ +8300 max_recursion -= 1
+ +8302 # Is this value a pointer or a value?
+8303 # -- If it's a pointer, dereference
+8304 deref = addr.dereference()
+8305 if deref is None:
+8306 # if here, dereferencing addr has triggered a MemoryError, no need to go further
+8307 msg.append(str(addr))
+8308 break
+ +8310 new_addr = lookup_address(deref)
+8311 if new_addr.valid:
+8312 addr = new_addr
+8313 msg.append(str(addr))
+8314 continue
+ +8316 # -- Otherwise try to parse the value
+8317 if addr.section: 8317 ↛ 8338line 8317 didn't jump to line 8338, because the condition on line 8317 was never false
+8318 if addr.section.is_executable() and addr.is_in_text_segment() and not is_ascii_string(addr.value):
+8319 insn = gef_current_instruction(addr.value)
+8320 insn_str = f"{insn.location} {insn.mnemonic} {', '.join(insn.operands)}"
+8321 msg.append(Color.colorify(insn_str, code_color))
+8322 break
+ +8324 elif addr.section.permission & Permission.READ: 8324 ↛ 8338line 8324 didn't jump to line 8338, because the condition on line 8324 was never false
+8325 if is_ascii_string(addr.value):
+8326 s = gef.memory.read_cstring(addr.value)
+8327 if len(s) < gef.arch.ptrsize:
+8328 txt = f'{format_address(deref)} ("{Color.colorify(s, string_color)}"?)'
+8329 elif len(s) > 50:
+8330 txt = Color.colorify(f'"{s[:50]}[...]"', string_color)
+8331 else:
+8332 txt = Color.colorify(f'"{s}"', string_color)
+ +8334 msg.append(txt)
+8335 break
+ +8337 # if not able to parse cleanly, simply display and break
+8338 val = "{:#0{ma}x}".format(int(deref & 0xFFFFFFFFFFFFFFFF), ma=(gef.arch.ptrsize * 2 + 2))
+8339 msg.append(val)
+8340 break
+ +8342 return msg
+ + +8345@register
+8346class DereferenceCommand(GenericCommand):
+8347 """Dereference recursively from an address and display information. This acts like WinDBG `dps`
+8348 command."""
+ +8350 _cmdline_ = "dereference"
+8351 _syntax_ = f"{_cmdline_} [-h] [--length LENGTH] [--reference REFERENCE] [address]"
+8352 _aliases_ = ["telescope", ]
+8353 _example_ = f"{_cmdline_} --length 20 --reference $sp+0x10 $sp"
+ +8355 def __init__(self) -> None:
+8356 super().__init__(complete=gdb.COMPLETE_LOCATION)
+8357 self["max_recursion"] = (7, "Maximum level of pointer recursion")
+8358 return
+ +8360 @staticmethod
+8361 def pprint_dereferenced(addr: int, idx: int, base_offset: int = 0) -> str:
+8362 base_address_color = gef.config["theme.dereference_base_address"]
+8363 registers_color = gef.config["theme.dereference_register_value"]
+ +8365 sep = f" {RIGHT_ARROW} "
+8366 memalign = gef.arch.ptrsize
+ +8368 offset = idx * memalign
+8369 current_address = align_address(addr + offset)
+8370 addrs = dereference_from(current_address)
+8371 l = ""
+8372 addr_l = format_address(int(addrs[0], 16))
+8373 l += "{}{}{:+#07x}: {:{ma}s}".format(Color.colorify(addr_l, base_address_color),
+8374 VERTICAL_LINE, base_offset+offset,
+8375 sep.join(addrs[1:]), ma=(memalign*2 + 2))
+ +8377 register_hints = []
+ +8379 for regname in gef.arch.all_registers:
+8380 regvalue = gef.arch.register(regname)
+8381 if current_address == regvalue:
+8382 register_hints.append(regname)
+ +8384 if register_hints:
+8385 m = f"\t{LEFT_ARROW}{', '.join(list(register_hints))}"
+8386 l += Color.colorify(m, registers_color)
+ +8388 offset += memalign
+8389 return l
+ +8391 @only_if_gdb_running
+8392 @parse_arguments({"address": "$sp"}, {("-r", "--reference"): "", ("-l", "--length"): 10})
+8393 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+8394 args : argparse.Namespace = kwargs["arguments"]
+8395 nb = args.length
+ +8397 target = args.address
+8398 target_addr = parse_address(target)
+ +8400 reference = args.reference or target
+8401 ref_addr = parse_address(reference)
+ +8403 if process_lookup_address(target_addr) is None:
+8404 err(f"Unmapped address: '{target}'")
+8405 return
+ +8407 if process_lookup_address(ref_addr) is None: 8407 ↛ 8408line 8407 didn't jump to line 8408, because the condition on line 8407 was never true
+8408 err(f"Unmapped address: '{reference}'")
+8409 return
+ +8411 if gef.config["context.grow_stack_down"] is True: 8411 ↛ 8412line 8411 didn't jump to line 8412, because the condition on line 8411 was never true
+8412 insnum_step = -1
+8413 if nb > 0:
+8414 from_insnum = nb * (self.repeat_count + 1) - 1
+8415 to_insnum = self.repeat_count * nb - 1
+8416 else:
+8417 from_insnum = self.repeat_count * nb
+8418 to_insnum = nb * (self.repeat_count + 1)
+8419 else:
+8420 insnum_step = 1
+8421 if nb > 0:
+8422 from_insnum = self.repeat_count * nb
+8423 to_insnum = nb * (self.repeat_count + 1)
+8424 else:
+8425 from_insnum = nb * (self.repeat_count + 1) + 1
+8426 to_insnum = (self.repeat_count * nb) + 1
+ +8428 start_address = align_address(target_addr)
+8429 base_offset = start_address - align_address(ref_addr)
+ +8431 for i in range(from_insnum, to_insnum, insnum_step):
+8432 gef_print(DereferenceCommand.pprint_dereferenced(start_address, i, base_offset))
+ +8434 return
+ + +8437@register
+8438class ASLRCommand(GenericCommand):
+8439 """View/modify the ASLR setting of GDB. By default, GDB will disable ASLR when it starts the process. (i.e. not
+8440 attached). This command allows to change that setting."""
+ +8442 _cmdline_ = "aslr"
+8443 _syntax_ = f"{_cmdline_} [(on|off)]"
+ +8445 def do_invoke(self, argv: List[str]) -> None:
+8446 argc = len(argv)
+ +8448 if argc == 0:
+8449 ret = gdb.execute("show disable-randomization", to_string=True) or ""
+8450 i = ret.find("virtual address space is ")
+8451 if i < 0: 8451 ↛ 8452line 8451 didn't jump to line 8452, because the condition on line 8451 was never true
+8452 return
+ +8454 msg = "ASLR is currently "
+8455 if ret[i + 25:].strip() == "on.":
+8456 msg += Color.redify("disabled")
+8457 else:
+8458 msg += Color.greenify("enabled")
+ +8460 gef_print(msg)
+8461 return
+ +8463 elif argc == 1: 8463 ↛ 8475line 8463 didn't jump to line 8475, because the condition on line 8463 was never false
+8464 if argv[0] == "on": 8464 ↛ 8468line 8464 didn't jump to line 8468, because the condition on line 8464 was never false
+8465 info("Enabling ASLR")
+8466 gdb.execute("set disable-randomization off")
+8467 return
+8468 elif argv[0] == "off":
+8469 info("Disabling ASLR")
+8470 gdb.execute("set disable-randomization on")
+8471 return
+ +8473 warn("Invalid command")
+ +8475 self.usage()
+8476 return
+ + +8479@register
+8480class ResetCacheCommand(GenericCommand):
+8481 """Reset cache of all stored data. This command is here for debugging and test purposes, GEF
+8482 handles properly the cache reset under "normal" scenario."""
+ +8484 _cmdline_ = "reset-cache"
+8485 _syntax_ = _cmdline_
+ +8487 def do_invoke(self, _: List[str]) -> None:
+8488 reset_all_caches()
+8489 return
+ + +8492@register
+8493class VMMapCommand(GenericCommand):
+8494 """Display a comprehensive layout of the virtual memory mapping. If a filter argument, GEF will
+8495 filter out the mapping whose pathname do not match that filter."""
+ +8497 _cmdline_ = "vmmap"
+8498 _syntax_ = f"{_cmdline_} [FILTER]"
+8499 _example_ = f"{_cmdline_} libc"
+ +8501 @only_if_gdb_running
+8502 def do_invoke(self, argv: List[str]) -> None:
+8503 vmmap = gef.memory.maps
+8504 if not vmmap: 8504 ↛ 8505line 8504 didn't jump to line 8505, because the condition on line 8504 was never true
+8505 err("No address mapping information found")
+8506 return
+ +8508 if not gef.config["gef.disable_color"]: 8508 ↛ 8511line 8508 didn't jump to line 8511, because the condition on line 8508 was never false
+8509 self.show_legend()
+ +8511 color = gef.config["theme.table_heading"]
+ +8513 headers = ["Start", "End", "Offset", "Perm", "Path"]
+8514 gef_print(Color.colorify("{:<{w}s}{:<{w}s}{:<{w}s}{:<4s} {:s}".format(*headers, w=gef.arch.ptrsize*2+3), color))
+ +8516 for entry in vmmap:
+8517 if not argv:
+8518 self.print_entry(entry)
+8519 continue
+8520 if argv[0] in entry.path:
+8521 self.print_entry(entry)
+8522 elif self.is_integer(argv[0]): 8522 ↛ 8523line 8522 didn't jump to line 8523, because the condition on line 8522 was never true
+8523 addr = int(argv[0], 0)
+8524 if addr >= entry.page_start and addr < entry.page_end:
+8525 self.print_entry(entry)
+8526 return
+ +8528 def print_entry(self, entry: Section) -> None:
+8529 line_color = ""
+8530 if entry.path == "[stack]":
+8531 line_color = gef.config["theme.address_stack"]
+8532 elif entry.path == "[heap]": 8532 ↛ 8533line 8532 didn't jump to line 8533, because the condition on line 8532 was never true
+8533 line_color = gef.config["theme.address_heap"]
+8534 elif entry.permission & Permission.READ and entry.permission & Permission.EXECUTE:
+8535 line_color = gef.config["theme.address_code"]
+ +8537 l = [
+8538 Color.colorify(format_address(entry.page_start), line_color),
+8539 Color.colorify(format_address(entry.page_end), line_color),
+8540 Color.colorify(format_address(entry.offset), line_color),
+8541 ]
+8542 if entry.permission == Permission.ALL: 8542 ↛ 8543line 8542 didn't jump to line 8543, because the condition on line 8542 was never true
+8543 l.append(Color.colorify(str(entry.permission), "underline " + line_color))
+8544 else:
+8545 l.append(Color.colorify(str(entry.permission), line_color))
+ +8547 l.append(Color.colorify(entry.path, line_color))
+8548 line = " ".join(l)
+ +8550 gef_print(line)
+8551 return
+ +8553 def show_legend(self) -> None:
+8554 code_addr_color = gef.config["theme.address_code"]
+8555 stack_addr_color = gef.config["theme.address_stack"]
+8556 heap_addr_color = gef.config["theme.address_heap"]
+ +8558 gef_print("[ Legend: {} | {} | {} ]".format(Color.colorify("Code", code_addr_color),
+8559 Color.colorify("Heap", heap_addr_color),
+8560 Color.colorify("Stack", stack_addr_color)
+8561 ))
+8562 return
+ +8564 def is_integer(self, n: str) -> bool:
+8565 try:
+8566 int(n, 0)
+8567 except ValueError:
+8568 return False
+8569 return True
+ + +8572@register
+8573class XFilesCommand(GenericCommand):
+8574 """Shows all libraries (and sections) loaded by binary. This command extends the GDB command
+8575 `info files`, by retrieving more information from extra sources, and providing a better
+8576 display. If an argument FILE is given, the output will grep information related to only that file.
+8577 If an argument name is also given, the output will grep to the name within FILE."""
+ +8579 _cmdline_ = "xfiles"
+8580 _syntax_ = f"{_cmdline_} [FILE [NAME]]"
+8581 _example_ = f"\n{_cmdline_} libc\n{_cmdline_} libc IO_vtables"
+ +8583 @only_if_gdb_running
+8584 def do_invoke(self, argv: List[str]) -> None:
+8585 color = gef.config["theme.table_heading"]
+8586 headers = ["Start", "End", "Name", "File"]
+8587 gef_print(Color.colorify("{:<{w}s}{:<{w}s}{:<21s} {:s}".format(*headers, w=gef.arch.ptrsize*2+3), color))
+ +8589 filter_by_file = argv[0] if argv and argv[0] else None
+8590 filter_by_name = argv[1] if len(argv) > 1 and argv[1] else None
+ +8592 for xfile in get_info_files():
+8593 if filter_by_file: 8593 ↛ 8594line 8593 didn't jump to line 8594, because the condition on line 8593 was never true
+8594 if filter_by_file not in xfile.filename:
+8595 continue
+8596 if filter_by_name and filter_by_name not in xfile.name:
+8597 continue
+ +8599 l = [
+8600 format_address(xfile.zone_start),
+8601 format_address(xfile.zone_end),
+8602 f"{xfile.name:<21s}",
+8603 xfile.filename,
+8604 ]
+8605 gef_print(" ".join(l))
+8606 return
+ + +8609@register
+8610class XAddressInfoCommand(GenericCommand):
+8611 """Retrieve and display runtime information for the location(s) given as parameter."""
+ +8613 _cmdline_ = "xinfo"
+8614 _syntax_ = f"{_cmdline_} LOCATION"
+8615 _example_ = f"{_cmdline_} $pc"
+ +8617 def __init__(self) -> None:
+8618 super().__init__(complete=gdb.COMPLETE_LOCATION)
+8619 return
+ +8621 @only_if_gdb_running
+8622 def do_invoke(self, argv: List[str]) -> None:
+8623 if not argv:
+8624 err("At least one valid address must be specified")
+8625 self.usage()
+8626 return
+ +8628 for sym in argv:
+8629 try:
+8630 addr = align_address(parse_address(sym))
+8631 gef_print(titlify(f"xinfo: {addr:#x}"))
+8632 self.infos(addr)
+ +8634 except gdb.error as gdb_err:
+8635 err(f"{gdb_err}")
+8636 return
+ +8638 def infos(self, address: int) -> None:
+8639 addr = lookup_address(address)
+8640 if not addr.valid: 8640 ↛ 8641line 8640 didn't jump to line 8641, because the condition on line 8640 was never true
+8641 warn(f"Cannot reach {address:#x} in memory space")
+8642 return
+ +8644 sect = addr.section
+8645 info = addr.info
+ +8647 if sect: 8647 ↛ 8655line 8647 didn't jump to line 8655, because the condition on line 8647 was never false
+8648 gef_print(f"Page: {format_address(sect.page_start)} {RIGHT_ARROW} "
+8649 f"{format_address(sect.page_end)} (size={sect.page_end-sect.page_start:#x})"
+8650 f"\nPermissions: {sect.permission}"
+8651 f"\nPathname: {sect.path}"
+8652 f"\nOffset (from page): {addr.value-sect.page_start:#x}"
+8653 f"\nInode: {sect.inode}")
+ +8655 if info: 8655 ↛ 8656line 8655 didn't jump to line 8656, because the condition on line 8655 was never true
+8656 gef_print(f"Segment: {info.name} "
+8657 f"({format_address(info.zone_start)}-{format_address(info.zone_end)})"
+8658 f"\nOffset (from segment): {addr.value-info.zone_start:#x}")
+ +8660 sym = gdb_get_location_from_symbol(address)
+8661 if sym: 8661 ↛ 8662line 8661 didn't jump to line 8662, because the condition on line 8661 was never true
+8662 name, offset = sym
+8663 msg = f"Symbol: {name}"
+8664 if offset:
+8665 msg += f"+{offset:d}"
+8666 gef_print(msg)
+ +8668 return
+ + +8671@register
+8672class XorMemoryCommand(GenericCommand):
+8673 """XOR a block of memory. The command allows to simply display the result, or patch it
+8674 runtime at runtime."""
+ +8676 _cmdline_ = "xor-memory"
+8677 _syntax_ = f"{_cmdline_} (display|patch) ADDRESS SIZE KEY"
+ +8679 def __init__(self) -> None:
+8680 super().__init__(prefix=True)
+8681 return
+ +8683 def do_invoke(self, _: List[str]) -> None:
+8684 self.usage()
+8685 return
+ + +8688@register
+8689class XorMemoryDisplayCommand(GenericCommand):
+8690 """Display a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be
+8691 provided in hexadecimal format."""
+ +8693 _cmdline_ = "xor-memory display"
+8694 _syntax_ = f"{_cmdline_} ADDRESS SIZE KEY"
+8695 _example_ = f"{_cmdline_} $sp 16 41414141"
+ +8697 @only_if_gdb_running
+8698 def do_invoke(self, argv: List[str]) -> None:
+8699 if len(argv) != 3: 8699 ↛ 8700line 8699 didn't jump to line 8700, because the condition on line 8699 was never true
+8700 self.usage()
+8701 return
+ +8703 address = parse_address(argv[0])
+8704 length = int(argv[1], 0)
+8705 key = argv[2]
+8706 block = gef.memory.read(address, length)
+8707 info(f"Displaying XOR-ing {address:#x}-{address + len(block):#x} with {key!r}")
+ +8709 gef_print(titlify("Original block"))
+8710 gef_print(hexdump(block, base=address))
+ +8712 gef_print(titlify("XOR-ed block"))
+8713 gef_print(hexdump(xor(block, key), base=address))
+8714 return
+ + +8717@register
+8718class XorMemoryPatchCommand(GenericCommand):
+8719 """Patch a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be
+8720 provided in hexadecimal format."""
+ +8722 _cmdline_ = "xor-memory patch"
+8723 _syntax_ = f"{_cmdline_} ADDRESS SIZE KEY"
+8724 _example_ = f"{_cmdline_} $sp 16 41414141"
+ +8726 @only_if_gdb_running
+8727 def do_invoke(self, argv: List[str]) -> None:
+8728 if len(argv) != 3: 8728 ↛ 8729line 8728 didn't jump to line 8729, because the condition on line 8728 was never true
+8729 self.usage()
+8730 return
+ +8732 address = parse_address(argv[0])
+8733 length = int(argv[1], 0)
+8734 key = argv[2]
+8735 block = gef.memory.read(address, length)
+8736 info(f"Patching XOR-ing {address:#x}-{address + len(block):#x} with {key!r}")
+8737 xored_block = xor(block, key)
+8738 gef.memory.write(address, xored_block, length)
+8739 return
+ + +8742@register
+8743class TraceRunCommand(GenericCommand):
+8744 """Create a runtime trace of all instructions executed from $pc to LOCATION specified. The
+8745 trace is stored in a text file that can be next imported in IDA Pro to visualize the runtime
+8746 path."""
+ +8748 _cmdline_ = "trace-run"
+8749 _syntax_ = f"{_cmdline_} LOCATION [MAX_CALL_DEPTH]"
+8750 _example_ = f"{_cmdline_} 0x555555554610"
+ +8752 def __init__(self) -> None:
+8753 super().__init__(self._cmdline_, complete=gdb.COMPLETE_LOCATION)
+8754 self["max_tracing_recursion"] = (1, "Maximum depth of tracing")
+8755 self["tracefile_prefix"] = ("./gef-trace-", "Specify the tracing output file prefix")
+8756 return
+ +8758 @only_if_gdb_running
+8759 def do_invoke(self, argv: List[str]) -> None:
+8760 if len(argv) not in (1, 2): 8760 ↛ 8761line 8760 didn't jump to line 8761, because the condition on line 8760 was never true
+8761 self.usage()
+8762 return
+ +8764 if len(argv) == 2 and argv[1].isdigit(): 8764 ↛ 8765line 8764 didn't jump to line 8765, because the condition on line 8764 was never true
+8765 depth = int(argv[1])
+8766 else:
+8767 depth = 1
+ +8769 try:
+8770 loc_start = gef.arch.pc
+8771 loc_end = parse_address(argv[0])
+8772 except gdb.error as e:
+8773 err(f"Invalid location: {e}")
+8774 return
+ +8776 self.trace(loc_start, loc_end, depth)
+8777 return
+ +8779 def get_frames_size(self) -> int:
+8780 n = 0
+8781 f = gdb.newest_frame()
+8782 while f:
+8783 n += 1
+8784 f = f.older()
+8785 return n
+ +8787 def trace(self, loc_start: int, loc_end: int, depth: int) -> None:
+8788 info(f"Tracing from {loc_start:#x} to {loc_end:#x} (max depth={depth:d})")
+8789 logfile = f"{self['tracefile_prefix']}{loc_start:#x}-{loc_end:#x}.txt"
+8790 with RedirectOutputContext(to=logfile):
+8791 hide_context()
+8792 self.start_tracing(loc_start, loc_end, depth)
+8793 unhide_context()
+8794 ok(f"Done, logfile stored as '{logfile}'")
+8795 info("Hint: import logfile with `ida_color_gdb_trace.py` script in IDA to visualize path")
+8796 return
+ +8798 def start_tracing(self, loc_start: int, loc_end: int, depth: int) -> None:
+8799 loc_cur = loc_start
+8800 frame_count_init = self.get_frames_size()
+ +8802 gef_print("#",
+8803 f"# Execution tracing of {get_filepath()}",
+8804 f"# Start address: {format_address(loc_start)}",
+8805 f"# End address: {format_address(loc_end)}",
+8806 f"# Recursion level: {depth:d}",
+8807 "# automatically generated by gef.py",
+8808 "#\n", sep="\n")
+ +8810 while loc_cur != loc_end: 8810 ↛ 8829line 8810 didn't jump to line 8829, because the condition on line 8810 was never false
+8811 try:
+8812 delta = self.get_frames_size() - frame_count_init
+ +8814 if delta <= depth:
+8815 gdb.execute("stepi")
+8816 else:
+8817 gdb.execute("finish")
+ +8819 loc_cur = gef.arch.pc
+8820 gdb.flush()
+ +8822 except gdb.error as e:
+8823 gef_print("#",
+8824 f"# Execution interrupted at address {format_address(loc_cur)}",
+8825 f"# Exception: {e}",
+8826 "#\n", sep="\n")
+8827 break
+ +8829 return
+ + +8832@register
+8833class PatternCommand(GenericCommand):
+8834 """Generate or Search a De Bruijn Sequence of unique substrings of length N
+8835 and a total length of LENGTH. The default value of N is set to match the
+8836 currently loaded architecture."""
+ +8838 _cmdline_ = "pattern"
+8839 _syntax_ = f"{_cmdline_} (create|search) ARGS"
+ +8841 def __init__(self) -> None:
+8842 super().__init__(prefix=True)
+8843 self["length"] = (1024, "Default length of a cyclic buffer to generate")
+8844 return
+ +8846 def do_invoke(self, _: List[str]) -> None:
+8847 self.usage()
+8848 return
+ + +8851@register
+8852class PatternCreateCommand(GenericCommand):
+8853 """Generate a De Bruijn Sequence of unique substrings of length N and a
+8854 total length of LENGTH. The default value of N is set to match the currently
+8855 loaded architecture."""
+ +8857 _cmdline_ = "pattern create"
+8858 _syntax_ = f"{_cmdline_} [-h] [-n N] [length]"
+8859 _example_ = f"{_cmdline_} 4096"
+ +8861 @parse_arguments({"length": 0}, {("-n", "--n"): 0})
+8862 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+8863 args : argparse.Namespace = kwargs["arguments"]
+8864 length = args.length or gef.config["pattern.length"]
+8865 n = args.n or gef.arch.ptrsize
+8866 info(f"Generating a pattern of {length:d} bytes (n={n:d})")
+8867 pattern_str = gef_pystring(generate_cyclic_pattern(length, n))
+8868 gef_print(pattern_str)
+8869 ok(f"Saved as '{gef_convenience(pattern_str)}'")
+8870 return
+ + +8873@register
+8874class PatternSearchCommand(GenericCommand):
+8875 """Search a De Bruijn Sequence of unique substrings of length N and a
+8876 maximum total length of MAX_LENGTH. The default value of N is set to match
+8877 the currently loaded architecture. The PATTERN argument can be a GDB symbol
+8878 (such as a register name), a string or a hexadecimal value"""
+ +8880 _cmdline_ = "pattern search"
+8881 _syntax_ = f"{_cmdline_} [-h] [-n N] [--max-length MAX_LENGTH] [pattern]"
+8882 _example_ = [f"{_cmdline_} $pc",
+8883 f"{_cmdline_} 0x61616164",
+8884 f"{_cmdline_} aaab"]
+8885 _aliases_ = ["pattern offset"]
+ +8887 @only_if_gdb_running
+8888 @parse_arguments({"pattern": ""}, {("--period", "-n"): 0, ("--max-length", "-l"): 0})
+8889 def do_invoke(self, _: List[str], **kwargs: Any) -> None:
+8890 args = kwargs["arguments"]
+8891 if not args.pattern: 8891 ↛ 8892line 8891 didn't jump to line 8892, because the condition on line 8891 was never true
+8892 warn("No pattern provided")
+8893 return
+ +8895 max_length = args.max_length or gef.config["pattern.length"]
+8896 n = args.period or gef.arch.ptrsize
+8897 if n not in (2, 4, 8) or n > gef.arch.ptrsize: 8897 ↛ 8898line 8897 didn't jump to line 8898, because the condition on line 8897 was never true
+8898 err("Incorrect value for period")
+8899 return
+8900 self.search(args.pattern, max_length, n)
+8901 return
+ +8903 def search(self, pattern: str, size: int, period: int) -> None:
+8904 pattern_be, pattern_le = None, None
+ +8906 # 1. check if it's a symbol (like "$sp" or "0x1337")
+8907 symbol = safe_parse_and_eval(pattern)
+8908 if symbol:
+8909 addr = int(abs(symbol))
+8910 dereferenced_value = dereference(addr)
+8911 if dereferenced_value: 8911 ↛ 8912line 8911 didn't jump to line 8912, because the condition on line 8911 was never true
+8912 addr = int(abs(dereferenced_value))
+8913 mask = (1<<(8 * period))-1
+8914 addr &= mask
+8915 pattern_le = addr.to_bytes(period, 'little')
+8916 pattern_be = addr.to_bytes(period, 'big')
+8917 else:
+8918 # 2. assume it's a plain string
+8919 pattern_be = gef_pybytes(pattern)
+8920 pattern_le = gef_pybytes(pattern[::-1])
+ +8922 info(f"Searching for '{pattern_le.hex()}'/'{pattern_be.hex()}' with period={period}")
+8923 cyclic_pattern = generate_cyclic_pattern(size, period)
+8924 off = cyclic_pattern.find(pattern_le)
+8925 if off >= 0:
+8926 ok(f"Found at offset {off:d} (little-endian search) "
+8927 f"{Color.colorify('likely', 'bold red') if gef.arch.endianness == Endianness.LITTLE_ENDIAN else ''}")
+8928 return
+ +8930 off = cyclic_pattern.find(pattern_be)
+8931 if off >= 0: 8931 ↛ 8932line 8931 didn't jump to line 8932, because the condition on line 8931 was never true
+8932 ok(f"Found at offset {off:d} (big-endian search) "
+8933 f"{Color.colorify('likely', 'bold green') if gef.arch.endianness == Endianness.BIG_ENDIAN else ''}")
+8934 return
+ +8936 err(f"Pattern '{pattern}' not found")
+8937 return
+ + +8940@register
+8941class ChecksecCommand(GenericCommand):
+8942 """Checksec the security properties of the current executable or passed as argument. The
+8943 command checks for the following protections:
+8944 - PIE
+8945 - NX
+8946 - RelRO
+8947 - Glibc Stack Canaries
+8948 - Fortify Source"""
+ +8950 _cmdline_ = "checksec"
+8951 _syntax_ = f"{_cmdline_} [FILENAME]"
+8952 _example_ = f"{_cmdline_} /bin/ls"
+ +8954 def __init__(self) -> None:
+8955 super().__init__(complete=gdb.COMPLETE_FILENAME)
+8956 return
+ +8958 def do_invoke(self, argv: List[str]) -> None:
+8959 argc = len(argv)
+ +8961 if argc == 0: 8961 ↛ 8966line 8961 didn't jump to line 8966, because the condition on line 8961 was never false
+8962 filename = get_filepath()
+8963 if filename is None: 8963 ↛ 8964line 8963 didn't jump to line 8964, because the condition on line 8963 was never true
+8964 warn("No executable/library specified")
+8965 return
+8966 elif argc == 1:
+8967 filename = os.path.realpath(os.path.expanduser(argv[0]))
+8968 if not os.access(filename, os.R_OK):
+8969 err("Invalid filename")
+8970 return
+8971 else:
+8972 self.usage()
+8973 return
+ +8975 info(f"{self._cmdline_} for '{filename}'")
+8976 self.print_security_properties(filename)
+8977 return
+ +8979 def print_security_properties(self, filename: str) -> None:
+8980 sec = Elf(filename).checksec
+8981 for prop in sec:
+8982 if prop in ("Partial RelRO", "Full RelRO"): continue
+8983 val = sec[prop]
+8984 msg = Color.greenify(Color.boldify(TICK)) if val is True else Color.redify(Color.boldify(CROSS))
+8985 if val and prop == "Canary" and is_alive(): 8985 ↛ 8986line 8985 didn't jump to line 8986, because the condition on line 8985 was never true
+8986 canary = gef.session.canary[0] if gef.session.canary else 0
+8987 msg += f"(value: {canary:#x})"
+ +8989 gef_print(f"{prop:<30s}: {msg}")
+ +8991 if sec["Full RelRO"]:
+8992 gef_print(f"{'RelRO':<30s}: {Color.greenify('Full')}")
+8993 elif sec["Partial RelRO"]: 8993 ↛ 8996line 8993 didn't jump to line 8996, because the condition on line 8993 was never false
+8994 gef_print(f"{'RelRO':<30s}: {Color.yellowify('Partial')}")
+8995 else:
+8996 gef_print(f"{'RelRO':<30s}: {Color.redify(Color.boldify(CROSS))}")
+8997 return
+ + +9000@register
+9001class GotCommand(GenericCommand):
+9002 """Display current status of the got inside the process."""
+ +9004 _cmdline_ = "got"
+9005 _syntax_ = f"{_cmdline_} [FUNCTION_NAME ...] "
+9006 _example_ = "got read printf exit"
+ +9008 def __init__(self):
+9009 super().__init__()
+9010 self["function_resolved"] = ("green",
+9011 "Line color of the got command output for resolved function")
+9012 self["function_not_resolved"] = ("yellow",
+9013 "Line color of the got command output for unresolved function")
+9014 return
+ +9016 @only_if_gdb_running
+9017 def do_invoke(self, argv: List[str]) -> None:
+9018 readelf = gef.session.constants["readelf"]
+ +9020 if is_remote_debug(): 9020 ↛ 9021line 9020 didn't jump to line 9021, because the condition on line 9020 was never true
+9021 elf_file = str(gef.session.remote.lfile)
+9022 elf_virtual_path = str(gef.session.remote.file)
+9023 else:
+9024 elf_file = str(gef.session.file)
+9025 elf_virtual_path = str(gef.session.file)
+ +9027 func_names_filter = argv if argv else []
+9028 vmmap = gef.memory.maps
+9029 base_address = min(x.page_start for x in vmmap if x.path == elf_virtual_path)
+9030 end_address = max(x.page_end for x in vmmap if x.path == elf_virtual_path)
+ +9032 # get the checksec output.
+9033 checksec_status = Elf(elf_file).checksec
+9034 relro_status = "Full RelRO"
+9035 full_relro = checksec_status["Full RelRO"]
+9036 pie = checksec_status["PIE"] # if pie we will have offset instead of abs address.
+ +9038 if not full_relro: 9038 ↛ 9039line 9038 didn't jump to line 9039, because the condition on line 9038 was never true
+9039 relro_status = "Partial RelRO"
+9040 partial_relro = checksec_status["Partial RelRO"]
+ +9042 if not partial_relro:
+9043 relro_status = "No RelRO"
+ +9045 # retrieve jump slots using readelf
+9046 lines = gef_execute_external([readelf, "--relocs", elf_file], as_list=True)
+9047 jmpslots = [line for line in lines if "JUMP" in line]
+ +9049 gef_print(f"\nGOT protection: {relro_status} | GOT functions: {len(jmpslots)}\n ")
+ +9051 for line in jmpslots:
+9052 address, _, _, _, name = line.split()[:5]
+ +9054 # if we have a filter let's skip the entries that are not requested.
+9055 if func_names_filter:
+9056 if not any(map(lambda x: x in name, func_names_filter)):
+9057 continue
+ +9059 address_val = int(address, 16)
+ +9061 # address_val is an offset from the base_address if we have PIE.
+9062 if pie or is_remote_debug(): 9062 ↛ 9066line 9062 didn't jump to line 9066, because the condition on line 9062 was never false
+9063 address_val = base_address + address_val
+ +9065 # read the address of the function.
+9066 got_address = gef.memory.read_integer(address_val)
+ +9068 # for the swag: different colors if the function has been resolved or not.
+9069 if base_address < got_address < end_address: 9069 ↛ 9070line 9069 didn't jump to line 9070, because the condition on line 9069 was never true
+9070 color = self["function_not_resolved"]
+9071 else:
+9072 color = self["function_resolved"]
+ +9074 line = f"[{hex(address_val)}] "
+9075 line += Color.colorify(f"{name} {RIGHT_ARROW} {hex(got_address)}", color)
+9076 gef_print(line)
+9077 return
+ + +9080@register
+9081class HighlightCommand(GenericCommand):
+9082 """Highlight user-defined text matches in GEF output universally."""
+9083 _cmdline_ = "highlight"
+9084 _syntax_ = f"{_cmdline_} (add|remove|list|clear)"
+9085 _aliases_ = ["hl"]
+ +9087 def __init__(self) -> None:
+9088 super().__init__(prefix=True)
+9089 self["regex"] = (False, "Enable regex highlighting")
+ +9091 def do_invoke(self, _: List[str]) -> None:
+9092 return self.usage()
+ + +9095@register
+9096class HighlightListCommand(GenericCommand):
+9097 """Show the current highlight table with matches to colors."""
+9098 _cmdline_ = "highlight list"
+9099 _aliases_ = ["highlight ls", "hll"]
+9100 _syntax_ = _cmdline_
+ +9102 def print_highlight_table(self) -> None:
+9103 if not gef.ui.highlight_table:
+9104 err("no matches found")
+9105 return
+ +9107 left_pad = max(map(len, gef.ui.highlight_table.keys()))
+9108 for match, color in sorted(gef.ui.highlight_table.items()):
+9109 print(f"{Color.colorify(match.ljust(left_pad), color)} {VERTICAL_LINE} "
+9110 f"{Color.colorify(color, color)}")
+9111 return
+ +9113 def do_invoke(self, _: List[str]) -> None:
+9114 return self.print_highlight_table()
+ + +9117@register
+9118class HighlightClearCommand(GenericCommand):
+9119 """Clear the highlight table, remove all matches."""
+9120 _cmdline_ = "highlight clear"
+9121 _aliases_ = ["hlc"]
+9122 _syntax_ = _cmdline_
+ +9124 def do_invoke(self, _: List[str]) -> None:
+9125 return gef.ui.highlight_table.clear()
+ + +9128@register
+9129class HighlightAddCommand(GenericCommand):
+9130 """Add a match to the highlight table."""
+9131 _cmdline_ = "highlight add"
+9132 _syntax_ = f"{_cmdline_} MATCH COLOR"
+9133 _aliases_ = ["highlight set", "hla"]
+9134 _example_ = f"{_cmdline_} 41414141 yellow"
+ +9136 def do_invoke(self, argv: List[str]) -> None:
+9137 if len(argv) < 2: 9137 ↛ 9138line 9137 didn't jump to line 9138, because the condition on line 9137 was never true
+9138 return self.usage()
+ +9140 match, color = argv
+9141 gef.ui.highlight_table[match] = color
+9142 return
+ + +9145@register
+9146class HighlightRemoveCommand(GenericCommand):
+9147 """Remove a match in the highlight table."""
+9148 _cmdline_ = "highlight remove"
+9149 _syntax_ = f"{_cmdline_} MATCH"
+9150 _aliases_ = [
+9151 "highlight delete",
+9152 "highlight del",
+9153 "highlight unset",
+9154 "highlight rm",
+9155 "hlr",
+9156 ]
+9157 _example_ = f"{_cmdline_} remove 41414141"
+ +9159 def do_invoke(self, argv: List[str]) -> None:
+9160 if not argv:
+9161 return self.usage()
+ +9163 gef.ui.highlight_table.pop(argv[0], None)
+9164 return
+ + +9167@register
+9168class FormatStringSearchCommand(GenericCommand):
+9169 """Exploitable format-string helper: this command will set up specific breakpoints
+9170 at well-known dangerous functions (printf, snprintf, etc.), and check if the pointer
+9171 holding the format string is writable, and therefore susceptible to format string
+9172 attacks if an attacker can control its content."""
+9173 _cmdline_ = "format-string-helper"
+9174 _syntax_ = _cmdline_
+9175 _aliases_ = ["fmtstr-helper",]
+ +9177 def do_invoke(self, _: List[str]) -> None:
+9178 dangerous_functions = {
+9179 "printf": 0,
+9180 "sprintf": 1,
+9181 "fprintf": 1,
+9182 "snprintf": 2,
+9183 "vsnprintf": 2,
+9184 }
+ +9186 nb_installed_breaks = 0
+ +9188 with RedirectOutputContext(to="/dev/null"):
+9189 for function_name in dangerous_functions:
+9190 argument_number = dangerous_functions[function_name]
+9191 FormatStringBreakpoint(function_name, argument_number)
+9192 nb_installed_breaks += 1
+ +9194 ok(f"Enabled {nb_installed_breaks} FormatString "
+9195 f"breakpoint{'s' if nb_installed_breaks > 1 else ''}")
+9196 return
+ + +9199@register
+9200class HeapAnalysisCommand(GenericCommand):
+9201 """Heap vulnerability analysis helper: this command aims to track dynamic heap allocation
+9202 done through malloc()/free() to provide some insights on possible heap vulnerabilities. The
+9203 following vulnerabilities are checked:
+9204 - NULL free
+9205 - Use-after-Free
+9206 - Double Free
+9207 - Heap overlap"""
+9208 _cmdline_ = "heap-analysis-helper"
+9209 _syntax_ = _cmdline_
+ +9211 def __init__(self) -> None:
+9212 super().__init__(complete=gdb.COMPLETE_NONE)
+9213 self["check_free_null"] = (False, "Break execution when a free(NULL) is encountered")
+9214 self["check_double_free"] = (True, "Break execution when a double free is encountered")
+9215 self["check_weird_free"] = (True, "Break execution when free() is called against a non-tracked pointer")
+9216 self["check_uaf"] = (True, "Break execution when a possible Use-after-Free condition is found")
+9217 self["check_heap_overlap"] = (True, "Break execution when a possible overlap in allocation is found")
+ +9219 self.bp_malloc = None
+9220 self.bp_calloc = None
+9221 self.bp_free = None
+9222 self.bp_realloc = None
+9223 return
+ +9225 @only_if_gdb_running
+9226 @experimental_feature
+9227 def do_invoke(self, argv: List[str]) -> None:
+9228 if not argv: 9228 ↛ 9232line 9228 didn't jump to line 9232, because the condition on line 9228 was never false
+9229 self.setup()
+9230 return
+ +9232 if argv[0] == "show":
+9233 self.dump_tracked_allocations()
+9234 return
+ +9236 def setup(self) -> None:
+9237 ok("Tracking malloc() & calloc()")
+9238 self.bp_malloc = TraceMallocBreakpoint("__libc_malloc")
+9239 self.bp_calloc = TraceMallocBreakpoint("__libc_calloc")
+9240 ok("Tracking free()")
+9241 self.bp_free = TraceFreeBreakpoint()
+9242 ok("Tracking realloc()")
+9243 self.bp_realloc = TraceReallocBreakpoint()
+ +9245 ok("Disabling hardware watchpoints (this may increase the latency)")
+9246 gdb.execute("set can-use-hw-watchpoints 0")
+ +9248 info("Dynamic breakpoints correctly setup, "
+9249 "GEF will break execution if a possible vulnerabity is found.")
+9250 warn(f"{Color.colorify('Note', 'bold underline yellow')}: "
+9251 "The heap analysis slows down the execution noticeably.")
+ +9253 # when inferior quits, we need to clean everything for a next execution
+9254 gef_on_exit_hook(self.clean)
+9255 return
+ +9257 def dump_tracked_allocations(self) -> None:
+9258 global gef
+ +9260 if gef.session.heap_allocated_chunks:
+9261 ok("Tracked as in-use chunks:")
+9262 for addr, sz in gef.session.heap_allocated_chunks:
+9263 gef_print(f"{CROSS} malloc({sz:d}) = {addr:#x}")
+9264 else:
+9265 ok("No malloc() chunk tracked")
+ +9267 if gef.session.heap_freed_chunks:
+9268 ok("Tracked as free-ed chunks:")
+9269 for addr, sz in gef.session.heap_freed_chunks:
+9270 gef_print(f"{TICK} free({sz:d}) = {addr:#x}")
+9271 else:
+9272 ok("No free() chunk tracked")
+9273 return
+ +9275 def clean(self, _: "gdb.Event") -> None:
+9276 global gef
+ +9278 ok(f"{Color.colorify('Heap-Analysis', 'yellow bold')} - Cleaning up")
+9279 for bp in [self.bp_malloc, self.bp_calloc, self.bp_free, self.bp_realloc]:
+9280 if hasattr(bp, "retbp") and bp.retbp: 9280 ↛ 9288line 9280 didn't jump to line 9288, because the condition on line 9280 was never false
+9281 try:
+9282 bp.retbp.delete()
+9283 except RuntimeError:
+9284 # in some cases, gdb was found failing to correctly remove the retbp
+9285 # but they can be safely ignored since the debugging session is over
+9286 pass
+ +9288 bp.delete()
+ +9290 for wp in gef.session.heap_uaf_watchpoints:
+9291 wp.delete()
+ +9293 gef.session.heap_allocated_chunks = []
+9294 gef.session.heap_freed_chunks = []
+9295 gef.session.heap_uaf_watchpoints = []
+ +9297 ok(f"{Color.colorify('Heap-Analysis', 'yellow bold')} - Re-enabling hardware watchpoints")
+9298 gdb.execute("set can-use-hw-watchpoints 1")
+ +9300 gef_on_exit_unhook(self.clean)
+9301 return
+ + +9304#
+9305# GDB Function declaration
+9306#
+9307@deprecated("")
+9308def register_function(cls: Type["GenericFunction"]) -> Type["GenericFunction"]:
+9309 """Decorator for registering a new convenience function to GDB."""
+9310 return cls
+ + +9313class GenericFunction(gdb.Function):
+9314 """This is an abstract class for invoking convenience functions, should not be instantiated."""
+ +9316 _function_ : str
+9317 _syntax_: str = ""
+9318 _example_ : str = ""
+ +9320 def __init__(self) -> None:
+9321 super().__init__(self._function_)
+ +9323 def invoke(self, *args: Any) -> int:
+9324 if not is_alive():
+9325 raise gdb.GdbError("No debugging session active")
+9326 return self.do_invoke(args)
+ +9328 def arg_to_long(self, args: List, index: int, default: int = 0) -> int:
+9329 try:
+9330 addr = args[index]
+9331 return int(addr) if addr.address is None else int(addr.address)
+9332 except IndexError:
+9333 return default
+ +9335 def do_invoke(self, args: Any) -> int:
+9336 raise NotImplementedError
+ + +9339@register
+9340class StackOffsetFunction(GenericFunction):
+9341 """Return the current stack base address plus an optional offset."""
+9342 _function_ = "_stack"
+9343 _syntax_ = f"${_function_}()"
+ +9345 def do_invoke(self, args: List) -> int:
+9346 base = get_section_base_address("[stack]")
+9347 if not base: 9347 ↛ 9348line 9347 didn't jump to line 9348, because the condition on line 9347 was never true
+9348 raise gdb.GdbError("Stack not found")
+ +9350 return self.arg_to_long(args, 0) + base
+ + +9353@register
+9354class HeapBaseFunction(GenericFunction):
+9355 """Return the current heap base address plus an optional offset."""
+9356 _function_ = "_heap"
+9357 _syntax_ = f"${_function_}()"
+ +9359 def do_invoke(self, args: List) -> int:
+9360 base = gef.heap.base_address
+9361 if not base: 9361 ↛ 9362line 9361 didn't jump to line 9362, because the condition on line 9361 was never true
+9362 base = get_section_base_address("[heap]")
+9363 if not base:
+9364 raise gdb.GdbError("Heap not found")
+9365 return self.arg_to_long(args, 0) + base
+ + +9368@register
+9369class SectionBaseFunction(GenericFunction):
+9370 """Return the matching file's base address plus an optional offset.
+9371 Defaults to current file. Note that quotes need to be escaped"""
+9372 _function_ = "_base"
+9373 _syntax_ = "$_base([filepath])"
+9374 _example_ = "p $_base(\\\"/usr/lib/ld-2.33.so\\\")"
+ +9376 def do_invoke(self, args: List) -> int:
+9377 addr = 0
+9378 try:
+9379 name = args[0].string()
+9380 except IndexError: 9380 ↛ 9382line 9380 didn't jump to line 9382
+9381 name = gef.session.file.name
+9382 except gdb.error:
+9383 err(f"Invalid arg: {args[0]}")
+9384 return 0
+ +9386 try:
+9387 base = get_section_base_address(name)
+9388 if base: 9388 ↛ 9393line 9388 didn't jump to line 9393, because the condition on line 9388 was never false
+9389 addr = int(base)
+9390 except TypeError:
+9391 err(f"Cannot find section {name}")
+9392 return 0
+9393 return addr
+ + +9396@register
+9397class BssBaseFunction(GenericFunction):
+9398 """Return the current bss base address plus the given offset."""
+9399 _function_ = "_bss"
+9400 _syntax_ = f"${_function_}([OFFSET])"
+9401 _example_ = "deref $_bss(0x20)"
+ +9403 def do_invoke(self, args: List) -> int:
+9404 base = get_zone_base_address(".bss")
+9405 if not base: 9405 ↛ 9406line 9405 didn't jump to line 9406, because the condition on line 9405 was never true
+9406 raise gdb.GdbError("BSS not found")
+9407 return self.arg_to_long(args, 0) + base
+ + +9410@register
+9411class GotBaseFunction(GenericFunction):
+9412 """Return the current GOT base address plus the given offset."""
+9413 _function_ = "_got"
+9414 _syntax_ = f"${_function_}([OFFSET])"
+9415 _example_ = "deref $_got(0x20)"
+ +9417 def do_invoke(self, args: List) -> int:
+9418 base = get_zone_base_address(".got")
+9419 if not base: 9419 ↛ 9420line 9419 didn't jump to line 9420, because the condition on line 9419 was never true
+9420 raise gdb.GdbError("GOT not found")
+9421 return base + self.arg_to_long(args, 0)
+ + +9424@register
+9425class GefFunctionsCommand(GenericCommand):
+9426 """List the convenience functions provided by GEF."""
+9427 _cmdline_ = "functions"
+9428 _syntax_ = _cmdline_
+ +9430 def __init__(self) -> None:
+9431 super().__init__()
+9432 self.docs = []
+9433 self.should_refresh = True
+9434 return
+ +9436 def __add__(self, function: GenericFunction):
+9437 """Add function to documentation."""
+9438 doc = getattr(function, "__doc__", "").lstrip()
+9439 if not hasattr(function, "_syntax_"): 9439 ↛ 9440line 9439 didn't jump to line 9440, because the condition on line 9439 was never true
+9440 raise ValueError("Function is invalid")
+9441 syntax = getattr(function, "_syntax_").lstrip()
+9442 msg = f"{Color.colorify(syntax, 'bold cyan')}\n {doc}"
+9443 example = getattr(function, "_example_", "").strip()
+9444 if example:
+9445 msg += f"\n {Color.yellowify('Example:')} {example}"
+9446 self.docs.append(msg)
+9447 return self
+ +9449 def __radd__(self, function: GenericFunction):
+9450 return self.__add__(function)
+ +9452 def __str__(self) -> str:
+9453 if self.should_refresh: 9453 ↛ 9455line 9453 didn't jump to line 9455, because the condition on line 9453 was never false
+9454 self.__rebuild()
+9455 return self.__doc__ or ""
+ +9457 def __rebuild(self) -> None:
+9458 """Rebuild the documentation for functions."""
+9459 for function in gef.gdb.functions.values():
+9460 self += function
+ +9462 self.command_size = len(gef.gdb.commands)
+9463 _, cols = get_terminal_size()
+9464 separator = HORIZONTAL_LINE*cols
+9465 self.__doc__ = f"\n{separator}\n".join(sorted(self.docs))
+9466 self.should_refresh = False
+9467 return
+ +9469 def do_invoke(self, argv) -> None:
+9470 self.dont_repeat()
+9471 gef_print(titlify("GEF - Convenience Functions"))
+9472 gef_print("These functions can be used as arguments to other "
+9473 "commands to dynamically calculate values\n")
+9474 gef_print(str(self))
+9475 return
+ + +9478#
+9479# GEF internal command classes
+9480#
+9481class GefCommand(gdb.Command):
+9482 """GEF main command: view all new commands by typing `gef`."""
+ +9484 _cmdline_ = "gef"
+9485 _syntax_ = f"{_cmdline_} (missing|config|save|restore|set|run)"
+ +9487 def __init__(self) -> None:
+9488 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, True)
+9489 gef.config["gef.follow_child"] = GefSetting(True, bool, "Automatically set GDB to follow child when forking")
+9490 gef.config["gef.readline_compat"] = GefSetting(False, bool, "Workaround for readline SOH/ETX issue (SEGV)")
+9491 gef.config["gef.debug"] = GefSetting(False, bool, "Enable debug mode for gef")
+9492 gef.config["gef.autosave_breakpoints_file"] = GefSetting("", str, "Automatically save and restore breakpoints")
+9493 gef.config["gef.extra_plugins_dir"] = GefSetting("", str, "Autoload additional GEF commands from external directory", hooks={"on_write": self.load_extra_plugins})
+9494 gef.config["gef.disable_color"] = GefSetting(False, bool, "Disable all colors in GEF")
+9495 gef.config["gef.tempdir"] = GefSetting(GEF_TEMP_DIR, str, "Directory to use for temporary/cache content")
+9496 gef.config["gef.show_deprecation_warnings"] = GefSetting(True, bool, "Toggle the display of the `deprecated` warnings")
+9497 gef.config["gef.buffer"] = GefSetting(True, bool, "Internally buffer command output until completion")
+9498 gef.config["gef.bruteforce_main_arena"] = GefSetting(False, bool, "Allow bruteforcing main_arena symbol if everything else fails")
+9499 gef.config["gef.main_arena_offset"] = GefSetting("", str, "Offset from libc base address to main_arena symbol (int or hex). Set to empty string to disable.")
+ +9501 self.commands : Dict[str, GenericCommand] = collections.OrderedDict()
+9502 self.functions : Dict[str, GenericFunction] = collections.OrderedDict()
+9503 self.missing: Dict[str, Exception] = {}
+9504 return
+ +9506 @property
+9507 def loaded_commands(self) -> List[Tuple[str, Type[GenericCommand], Any]]:
+9508 print("Obsolete loaded_commands")
+9509 raise
+ +9511 @property
+9512 def loaded_functions(self) -> List[Type[GenericFunction]]:
+9513 print("Obsolete loaded_functions")
+9514 raise
+ +9516 @property
+9517 def missing_commands(self) -> Dict[str, Exception]:
+9518 print("Obsolete missing_commands")
+9519 raise
+ +9521 def setup(self) -> None:
+9522 self.load()
+ +9524 GefHelpCommand()
+9525 GefConfigCommand()
+9526 GefSaveCommand()
+9527 GefMissingCommand()
+9528 GefSetCommand()
+9529 GefRunCommand()
+9530 GefInstallExtraScriptCommand()
+ +9532 # restore the settings from config file if any
+9533 GefRestoreCommand()
+9534 return
+ +9536 def load_extra_plugins(self) -> int:
+9537 def load_plugin(fpath: pathlib.Path) -> bool:
+9538 try:
+9539 dbg(f"Loading '{fpath}'")
+9540 gdb.execute(f"source {fpath}")
+9541 except Exception as e:
+9542 warn(f"Exception while loading {fpath}: {str(e)}")
+9543 return False
+9544 return True
+ +9546 nb_added = -1
+9547 start_time = time.perf_counter()
+9548 try:
+9549 nb_inital = len(__registered_commands__)
+9550 directories: List[str] = gef.config["gef.extra_plugins_dir"].split(";") or []
+9551 for d in directories:
+9552 d = d.strip()
+9553 if not d: continue 9553 ↛ 9554line 9553 didn't jump to line 9554, because the condition on line 9553 was never false
+9554 directory = pathlib.Path(d).expanduser()
+9555 if not directory.is_dir(): continue
+9556 sys.path.append(str(directory.absolute()))
+9557 for entry in directory.iterdir():
+9558 if entry.is_dir():
+9559 if entry.name in ('gdb', 'gef', '__pycache__'): continue
+9560 load_plugin(entry / "__init__.py")
+9561 else:
+9562 if entry.suffix != ".py": continue
+9563 if entry.name == "__init__.py": continue
+9564 load_plugin(entry)
+ +9566 nb_added = len(__registered_commands__) - nb_inital
+9567 if nb_added > 0: 9567 ↛ 9568line 9567 didn't jump to line 9568, because the condition on line 9567 was never true
+9568 self.load()
+9569 nb_failed = len(__registered_commands__) - len(self.commands)
+9570 end_time = time.perf_counter()
+9571 load_time = end_time - start_time
+9572 ok(f"{Color.colorify(str(nb_added), 'bold green')} extra commands added from "
+9573 f"'{Color.colorify(', '.join(directories), 'bold blue')}' in {load_time:.2f} seconds")
+9574 if nb_failed != 0:
+9575 warn(f"{Color.colorify(str(nb_failed), 'bold light_gray')} extra commands/functions failed to be added. "
+9576 "Check `gef missing` to know why")
+ +9578 except gdb.error as e:
+9579 err(f"failed: {e}")
+9580 return nb_added
+ +9582 @property
+9583 def loaded_command_names(self) -> Iterable[str]:
+9584 print("obsolete loaded_command_names")
+9585 return self.commands.keys()
+ +9587 def invoke(self, args: Any, from_tty: bool) -> None:
+9588 self.dont_repeat()
+9589 gdb.execute("gef help")
+9590 return
+ +9592 def add_context_pane(self, pane_name: str, display_pane_function: Callable, pane_title_function: Callable, condition: Optional[Callable]) -> None:
+9593 """Add a new context pane to ContextCommand."""
+9594 for _, class_instance in self.commands.items():
+9595 if isinstance(class_instance, ContextCommand):
+9596 context = class_instance
+9597 break
+9598 else:
+9599 err("Cannot find ContextCommand")
+9600 return
+ +9602 # assure users can toggle the new context
+9603 corrected_settings_name = pane_name.replace(" ", "_")
+9604 gef.config["context.layout"] += f" {corrected_settings_name}"
+ +9606 # overload the printing of pane title
+9607 context.layout_mapping[corrected_settings_name] = (display_pane_function, pane_title_function, condition)
+ +9609 def load(self) -> None:
+9610 """Load all the commands and functions defined by GEF into GDB."""
+9611 current_commands = set(self.commands.keys())
+9612 new_commands = set(x._cmdline_ for x in __registered_commands__) - current_commands
+9613 current_functions = set(self.functions.keys())
+9614 new_functions = set(x._function_ for x in __registered_functions__) - current_functions
+9615 self.missing.clear()
+9616 self.__load_time_ms = time.time()* 1000
+ +9618 # load all new functions
+9619 for name in sorted(new_functions):
+9620 for function_cls in __registered_functions__: 9620 ↛ 9619line 9620 didn't jump to line 9619, because the loop on line 9620 didn't complete
+9621 if function_cls._function_ == name:
+9622 self.functions[name] = function_cls()
+9623 break
+ +9625 # load all new commands
+9626 for name in sorted(new_commands):
+9627 try:
+9628 for command_cls in __registered_commands__: 9628 ↛ 9626line 9628 didn't jump to line 9626, because the loop on line 9628 didn't complete
+9629 if command_cls._cmdline_ == name:
+9630 command_instance = command_cls()
+ +9632 # create the aliases if any
+9633 if hasattr(command_instance, "_aliases_"):
+9634 aliases = getattr(command_instance, "_aliases_")
+9635 for alias in aliases:
+9636 GefAlias(alias, name)
+ +9638 self.commands[name] = command_instance
+9639 break
+ +9641 except Exception as reason:
+9642 self.missing[name] = reason
+ +9644 self.__load_time_ms = (time.time()* 1000) - self.__load_time_ms
+9645 return
+ + +9648 def show_banner(self) -> None:
+9649 gef_print(f"{Color.greenify('GEF')} for {gef.session.os} ready, "
+9650 f"type `{Color.colorify('gef', 'underline yellow')}' to start, "
+9651 f"`{Color.colorify('gef config', 'underline pink')}' to configure")
+ +9653 ver = f"{sys.version_info.major:d}.{sys.version_info.minor:d}"
+9654 gef_print(f"{Color.colorify(str(len(self.commands)), 'bold green')} commands loaded "
+9655 f"and {Color.colorify(str(len(self.functions)), 'bold blue')} functions added for "
+9656 f"GDB {Color.colorify(gdb.VERSION, 'bold yellow')} in {self.__load_time_ms:.2f}ms "
+9657 f"using Python engine {Color.colorify(ver, 'bold red')}")
+ +9659 nb_missing = len(self.missing)
+9660 if nb_missing: 9660 ↛ 9661line 9660 didn't jump to line 9661, because the condition on line 9660 was never true
+9661 warn(f"{Color.colorify(str(nb_missing), 'bold red')} "
+9662 f"command{'s' if nb_missing > 1 else ''} could not be loaded, "
+9663 f"run `{Color.colorify('gef missing', 'underline pink')}` to know why.")
+9664 return
+ + +9667class GefHelpCommand(gdb.Command):
+9668 """GEF help sub-command."""
+9669 _cmdline_ = "gef help"
+9670 _syntax_ = _cmdline_
+ +9672 def __init__(self) -> None:
+9673 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, False)
+9674 self.docs = []
+9675 self.should_refresh = True
+9676 self.command_size = 0
+9677 return
+ +9679 def invoke(self, args: Any, from_tty: bool) -> None:
+9680 self.dont_repeat()
+9681 gef_print(titlify("GEF - GDB Enhanced Features"))
+9682 gef_print(str(self))
+9683 return
+ +9685 def __rebuild(self) -> None:
+9686 """Rebuild the documentation."""
+9687 for name, cmd in gef.gdb.commands.items():
+9688 self += (name, cmd)
+ +9690 self.command_size = len(gef.gdb.commands)
+9691 _, cols = get_terminal_size()
+9692 separator = HORIZONTAL_LINE*cols
+9693 self.__doc__ = f"\n{separator}\n".join(sorted(self.docs))
+9694 self.should_refresh = False
+9695 return
+ +9697 def __add__(self, command: Tuple[str, GenericCommand]):
+9698 """Add command to GEF documentation."""
+9699 cmd, class_obj = command
+9700 if " " in cmd:
+9701 # do not print subcommands in gef help
+9702 return self
+9703 doc = getattr(class_obj, "__doc__", "").lstrip()
+9704 aliases = f"Aliases: {', '.join(class_obj._aliases_)}" if hasattr(class_obj, "_aliases_") else ""
+9705 msg = f"{Color.colorify(cmd, 'bold red')}\n{doc}\n{aliases}"
+9706 self.docs.append(msg)
+9707 return self
+ +9709 def __radd__(self, command: Tuple[str, GenericCommand]):
+9710 return self.__add__(command)
+ +9712 def __str__(self) -> str:
+9713 """Lazily regenerate the `gef help` object if it was modified"""
+9714 # quick check in case the docs have changed
+9715 if self.should_refresh or self.command_size != len(gef.gdb.commands): 9715 ↛ 9717line 9715 didn't jump to line 9717, because the condition on line 9715 was never false
+9716 self.__rebuild()
+9717 return self.__doc__ or ""
+ + +9720class GefConfigCommand(gdb.Command):
+9721 """GEF configuration sub-command
+9722 This command will help set/view GEF settings for the current debugging session.
+9723 It is possible to make those changes permanent by running `gef save` (refer
+9724 to this command help), and/or restore previously saved settings by running
+9725 `gef restore` (refer help).
+9726 """
+9727 _cmdline_ = "gef config"
+9728 _syntax_ = f"{_cmdline_} [setting_name] [setting_value]"
+ +9730 def __init__(self) -> None:
+9731 super().__init__(self._cmdline_, gdb.COMMAND_NONE, prefix=False)
+9732 return
+ +9734 def invoke(self, args: str, from_tty: bool) -> None:
+9735 self.dont_repeat()
+9736 argv = gdb.string_to_argv(args)
+9737 argc = len(argv)
+ +9739 if not (0 <= argc <= 2): 9739 ↛ 9740line 9739 didn't jump to line 9740, because the condition on line 9739 was never true
+9740 err("Invalid number of arguments")
+9741 return
+ +9743 if argc == 0:
+9744 gef_print(titlify("GEF configuration settings"))
+9745 self.print_settings()
+9746 return
+ +9748 if argc == 1:
+9749 prefix = argv[0]
+9750 names = [x for x in gef.config.keys() if x.startswith(prefix)]
+9751 if names: 9751 ↛ 9758line 9751 didn't jump to line 9758, because the condition on line 9751 was never false
+9752 if len(names) == 1: 9752 ↛ 9756line 9752 didn't jump to line 9756, because the condition on line 9752 was never false
+9753 gef_print(titlify(f"GEF configuration setting: {names[0]}"))
+9754 self.print_setting(names[0], verbose=True)
+9755 else:
+9756 gef_print(titlify(f"GEF configuration settings matching '{argv[0]}'"))
+9757 for name in names: self.print_setting(name)
+9758 return
+ +9760 self.set_setting(argv)
+9761 return
+ +9763 def print_setting(self, plugin_name: str, verbose: bool = False) -> None:
+9764 res = gef.config.raw_entry(plugin_name)
+9765 string_color = gef.config["theme.dereference_string"]
+9766 misc_color = gef.config["theme.dereference_base_address"]
+ +9768 if not res: 9768 ↛ 9769line 9768 didn't jump to line 9769, because the condition on line 9768 was never true
+9769 return
+ +9771 _setting = Color.colorify(plugin_name, "green")
+9772 _type = res.type.__name__
+9773 if _type == "str":
+9774 _value = f'"{Color.colorify(res.value, string_color)}"'
+9775 else:
+9776 _value = Color.colorify(res.value, misc_color)
+ +9778 gef_print(f"{_setting} ({_type}) = {_value}")
+ +9780 if verbose:
+9781 gef_print(Color.colorify("\nDescription:", "bold underline"))
+9782 gef_print(f"\t{res.description}")
+9783 return
+ +9785 def print_settings(self) -> None:
+9786 for x in sorted(gef.config):
+9787 self.print_setting(x)
+9788 return
+ +9790 def set_setting(self, argv: Tuple[str, Any]) -> None:
+9791 global gef
+9792 key, new_value = argv
+ +9794 if "." not in key: 9794 ↛ 9795line 9794 didn't jump to line 9795, because the condition on line 9794 was never true
+9795 err("Invalid command format")
+9796 return
+ +9798 loaded_commands = list( gef.gdb.commands.keys()) + ["gef"]
+9799 plugin_name = key.split(".", 1)[0]
+9800 if plugin_name not in loaded_commands: 9800 ↛ 9801line 9800 didn't jump to line 9801, because the condition on line 9800 was never true
+9801 err(f"Unknown plugin '{plugin_name}'")
+9802 return
+ +9804 if key not in gef.config: 9804 ↛ 9805line 9804 didn't jump to line 9805, because the condition on line 9804 was never true
+9805 err(f"'{key}' is not a valid configuration setting")
+9806 return
+ +9808 _type = gef.config.raw_entry(key).type
+9809 try:
+9810 if _type == bool:
+9811 _newval = True if new_value.upper() in ("TRUE", "T", "1") else False
+9812 else:
+9813 _newval = new_value
+ +9815 gef.config[key] = _newval
+9816 except Exception as e:
+9817 err(f"'{key}' expects type '{_type.__name__}', got {type(new_value).__name__}: reason {str(e)}")
+9818 return
+ +9820 reset_all_caches()
+9821 return
+ +9823 def complete(self, text: str, word: str) -> List[str]:
+9824 settings = sorted(gef.config)
+ +9826 if text == "":
+9827 # no prefix: example: `gef config TAB`
+9828 return [s for s in settings if word in s]
+ +9830 if "." not in text:
+9831 # if looking for possible prefix
+9832 return [s for s in settings if s.startswith(text.strip())]
+ +9834 # finally, look for possible values for given prefix
+9835 return [s.split(".", 1)[1] for s in settings if s.startswith(text.strip())]
+ + +9838class GefSaveCommand(gdb.Command):
+9839 """GEF save sub-command.
+9840 Saves the current configuration of GEF to disk (by default in file '~/.gef.rc')."""
+9841 _cmdline_ = "gef save"
+9842 _syntax_ = _cmdline_
+ +9844 def __init__(self) -> None:
+9845 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, False)
+9846 return
+ +9848 def invoke(self, args: Any, from_tty: bool) -> None:
+9849 self.dont_repeat()
+9850 cfg = configparser.RawConfigParser()
+9851 old_sect = None
+ +9853 # save the configuration
+9854 for key in sorted(gef.config):
+9855 sect, optname = key.split(".", 1)
+9856 value = gef.config[key]
+ +9858 if old_sect != sect:
+9859 cfg.add_section(sect)
+9860 old_sect = sect
+ +9862 cfg.set(sect, optname, value)
+ +9864 # save the aliases
+9865 cfg.add_section("aliases")
+9866 for alias in gef.session.aliases:
+9867 cfg.set("aliases", alias._alias, alias._command)
+ +9869 with GEF_RC.open("w") as fd:
+9870 cfg.write(fd)
+ +9872 ok(f"Configuration saved to '{GEF_RC}'")
+9873 return
+ + +9876class GefRestoreCommand(gdb.Command):
+9877 """GEF restore sub-command.
+9878 Loads settings from file '~/.gef.rc' and apply them to the configuration of GEF."""
+9879 _cmdline_ = "gef restore"
+9880 _syntax_ = _cmdline_
+ +9882 def __init__(self) -> None:
+9883 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, False)
+9884 self.reload(True)
+9885 return
+ +9887 def invoke(self, args: str, from_tty: bool) -> None:
+9888 self.dont_repeat()
+9889 if GEF_RC.is_file():
+9890 quiet = (args.lower() == "quiet")
+9891 self.reload(quiet)
+9892 return
+ +9894 def reload(self, quiet: bool):
+9895 cfg = configparser.ConfigParser()
+9896 cfg.read(GEF_RC)
+ +9898 for section in cfg.sections():
+9899 if section == "aliases":
+9900 # load the aliases
+9901 for key in cfg.options(section):
+9902 try:
+9903 GefAlias(key, cfg.get(section, key))
+9904 except:
+9905 pass
+9906 continue
+ +9908 # load the other options
+9909 for optname in cfg.options(section):
+9910 key = f"{section}.{optname}"
+9911 try:
+9912 setting = gef.config.raw_entry(key)
+9913 except Exception:
+9914 continue
+9915 new_value = cfg.get(section, optname)
+9916 if setting.type == bool:
+9917 new_value = True if new_value.upper() in ("TRUE", "T", "1") else False
+9918 setting.value = setting.type(new_value)
+ +9920 if not quiet: 9920 ↛ 9921line 9920 didn't jump to line 9921, because the condition on line 9920 was never true
+9921 ok(f"Configuration from '{Color.colorify(str(GEF_RC), 'bold blue')}' restored")
+9922 return
+ + +9925class GefMissingCommand(gdb.Command):
+9926 """GEF missing sub-command
+9927 Display the GEF commands that could not be loaded, along with the reason of why
+9928 they could not be loaded.
+9929 """
+9930 _cmdline_ = "gef missing"
+9931 _syntax_ = _cmdline_
+ +9933 def __init__(self) -> None:
+9934 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, False)
+9935 return
+ +9937 def invoke(self, args: Any, from_tty: bool) -> None:
+9938 self.dont_repeat()
+9939 missing_commands = gef.gdb.missing
+9940 if not missing_commands:
+9941 ok("No missing command")
+9942 return
+ +9944 for missing_command, reason in missing_commands.items():
+9945 warn(f"Command `{missing_command}` is missing, reason {RIGHT_ARROW} {reason}")
+9946 return
+ + +9949class GefSetCommand(gdb.Command):
+9950 """Override GDB set commands with the context from GEF."""
+9951 _cmdline_ = "gef set"
+9952 _syntax_ = f"{_cmdline_} [GDB_SET_ARGUMENTS]"
+ +9954 def __init__(self) -> None:
+9955 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_SYMBOL, False)
+9956 return
+ +9958 def invoke(self, args: Any, from_tty: bool) -> None:
+9959 self.dont_repeat()
+9960 args = args.split()
+9961 cmd = ["set", args[0],]
+9962 for p in args[1:]:
+9963 if p.startswith("$_gef"): 9963 ↛ 9967line 9963 didn't jump to line 9967, because the condition on line 9963 was never false
+9964 c = gdb.parse_and_eval(p)
+9965 cmd.append(c.string())
+9966 else:
+9967 cmd.append(p)
+ +9969 gdb.execute(" ".join(cmd))
+9970 return
+ + +9973class GefRunCommand(gdb.Command):
+9974 """Override GDB run commands with the context from GEF.
+9975 Simple wrapper for GDB run command to use arguments set from `gef set args`."""
+9976 _cmdline_ = "gef run"
+9977 _syntax_ = f"{_cmdline_} [GDB_RUN_ARGUMENTS]"
+ +9979 def __init__(self) -> None:
+9980 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_FILENAME, False)
+9981 return
+ +9983 def invoke(self, args: Any, from_tty: bool) -> None:
+9984 self.dont_repeat()
+9985 if is_alive():
+9986 gdb.execute("continue")
+9987 return
+ +9989 argv = args.split()
+9990 gdb.execute(f"gef set args {' '.join(argv)}")
+9991 gdb.execute("run")
+9992 return
+ + +9995class GefAlias(gdb.Command):
+9996 """Simple aliasing wrapper because GDB doesn't do what it should."""
+ +9998 def __init__(self, alias: str, command: str, completer_class: int = gdb.COMPLETE_NONE, command_class: int = gdb.COMMAND_NONE) -> None:
+9999 p = command.split()
+10000 if not p: 10000 ↛ 10001line 10000 didn't jump to line 10001, because the condition on line 10000 was never true
+10001 return
+ +10003 if any(x for x in gef.session.aliases if x._alias == alias):
+10004 return
+ +10006 self._command = command
+10007 self._alias = alias
+10008 c = command.split()[0]
+10009 r = self.lookup_command(c)
+10010 self.__doc__ = f"Alias for '{Color.greenify(command)}'"
+10011 if r is not None:
+10012 _instance = r[1]
+10013 self.__doc__ += f": {_instance.__doc__}"
+ +10015 if hasattr(_instance, "complete"): 10015 ↛ 10016line 10015 didn't jump to line 10016, because the condition on line 10015 was never true
+10016 self.complete = _instance.complete
+ +10018 super().__init__(alias, command_class, completer_class=completer_class)
+10019 gef.session.aliases.append(self)
+10020 return
+ +10022 def invoke(self, args: Any, from_tty: bool) -> None:
+10023 gdb.execute(f"{self._command} {args}", from_tty=from_tty)
+10024 return
+ +10026 def lookup_command(self, cmd: str) -> Optional[Tuple[str, GenericCommand]]:
+10027 global gef
+10028 for _name, _instance in gef.gdb.commands.items():
+10029 if cmd == _name:
+10030 return _name, _instance
+ +10032 return None
+ + +10035@register
+10036class AliasesCommand(GenericCommand):
+10037 """Base command to add, remove, or list aliases."""
+ +10039 _cmdline_ = "aliases"
+10040 _syntax_ = f"{_cmdline_} (add|rm|ls)"
+ +10042 def __init__(self) -> None:
+10043 super().__init__(prefix=True)
+10044 return
+ +10046 def do_invoke(self, _: List[str]) -> None:
+10047 self.usage()
+10048 return
+ + +10051@register
+10052class AliasesAddCommand(AliasesCommand):
+10053 """Command to add aliases."""
+ +10055 _cmdline_ = "aliases add"
+10056 _syntax_ = f"{_cmdline_} [ALIAS] [COMMAND]"
+10057 _example_ = f"{_cmdline_} scope telescope"
+ +10059 def __init__(self) -> None:
+10060 super().__init__()
+10061 return
+ +10063 def do_invoke(self, argv: List[str]) -> None:
+10064 if len(argv) < 2: 10064 ↛ 10065line 10064 didn't jump to line 10065, because the condition on line 10064 was never true
+10065 self.usage()
+10066 return
+10067 GefAlias(argv[0], " ".join(argv[1:]))
+10068 return
+ + +10071@register
+10072class AliasesRmCommand(AliasesCommand):
+10073 """Command to remove aliases."""
+ +10075 _cmdline_ = "aliases rm"
+10076 _syntax_ = f"{_cmdline_} [ALIAS]"
+ +10078 def __init__(self) -> None:
+10079 super().__init__()
+10080 return
+ +10082 def do_invoke(self, argv: List[str]) -> None:
+10083 global gef
+10084 if len(argv) != 1: 10084 ↛ 10085line 10084 didn't jump to line 10085, because the condition on line 10084 was never true
+10085 self.usage()
+10086 return
+10087 try:
+10088 alias_to_remove = next(filter(lambda x: x._alias == argv[0], gef.session.aliases))
+10089 gef.session.aliases.remove(alias_to_remove)
+10090 except (ValueError, StopIteration):
+10091 err(f"{argv[0]} not found in aliases.")
+10092 return
+10093 gef_print("You must reload GEF for alias removals to apply.")
+10094 return
+ + +10097@register
+10098class AliasesListCommand(AliasesCommand):
+10099 """Command to list aliases."""
+ +10101 _cmdline_ = "aliases ls"
+10102 _syntax_ = _cmdline_
+ +10104 def __init__(self) -> None:
+10105 super().__init__()
+10106 return
+ +10108 def do_invoke(self, _: List[str]) -> None:
+10109 ok("Aliases defined:")
+10110 for a in gef.session.aliases:
+10111 gef_print(f"{a._alias:30s} {RIGHT_ARROW} {a._command}")
+10112 return
+ + +10115class GefTmuxSetup(gdb.Command):
+10116 """Setup a confortable tmux debugging environment."""
+ +10118 def __init__(self) -> None:
+10119 super().__init__("tmux-setup", gdb.COMMAND_NONE, gdb.COMPLETE_NONE)
+10120 GefAlias("screen-setup", "tmux-setup")
+10121 return
+ +10123 def invoke(self, args: Any, from_tty: bool) -> None:
+10124 self.dont_repeat()
+ +10126 tmux = os.getenv("TMUX")
+10127 if tmux:
+10128 self.tmux_setup()
+10129 return
+ +10131 screen = os.getenv("TERM")
+10132 if screen is not None and screen == "screen":
+10133 self.screen_setup()
+10134 return
+ +10136 warn("Not in a tmux/screen session")
+10137 return
+ +10139 def tmux_setup(self) -> None:
+10140 """Prepare the tmux environment by vertically splitting the current pane, and
+10141 forcing the context to be redirected there."""
+10142 tmux = which("tmux")
+10143 ok("tmux session found, splitting window...")
+ +10145 pane, pty = subprocess.check_output([tmux, "splitw", "-h", '-F#{session_name}:#{window_index}.#{pane_index}-#{pane_tty}', "-P"]).decode().strip().split("-")
+10146 atexit.register(lambda : subprocess.run([tmux, "kill-pane", "-t", pane]))
+10147 # clear the screen and let it wait for input forever
+10148 gdb.execute(f"! {tmux} send-keys -t {pane} 'clear ; cat' C-m")
+10149 gdb.execute(f"! {tmux} select-pane -L")
+ +10151 ok(f"Setting `context.redirect` to '{pty}'...")
+10152 gdb.execute(f"gef config context.redirect {pty}")
+10153 ok("Done!")
+10154 return
+ +10156 def screen_setup(self) -> None:
+10157 """Hackish equivalent of the tmux_setup() function for screen."""
+10158 screen = which("screen")
+10159 sty = os.getenv("STY")
+10160 ok("screen session found, splitting window...")
+10161 fd_script, script_path = tempfile.mkstemp()
+10162 fd_tty, tty_path = tempfile.mkstemp()
+10163 os.close(fd_tty)
+ +10165 with os.fdopen(fd_script, "w") as f:
+10166 f.write("startup_message off\n")
+10167 f.write("split -v\n")
+10168 f.write("focus right\n")
+10169 f.write(f"screen bash -c 'tty > {tty_path}; clear; cat'\n")
+10170 f.write("focus left\n")
+ +10172 gdb.execute(f"! {screen} -r {sty} -m -d -X source {script_path}")
+10173 # artificial delay to make sure `tty_path` is populated
+10174 time.sleep(0.25)
+10175 with open(tty_path, "r") as f:
+10176 pty = f.read().strip()
+10177 ok(f"Setting `context.redirect` to '{pty}'...")
+10178 gdb.execute(f"gef config context.redirect {pty}")
+10179 ok("Done!")
+10180 os.unlink(script_path)
+10181 os.unlink(tty_path)
+10182 return
+ + +10185class GefInstallExtraScriptCommand(gdb.Command):
+10186 """`gef install` command: installs one or more scripts from the `gef-extras` script repo. Note that the command
+10187 doesn't check for external dependencies the script(s) might require."""
+10188 _cmdline_ = "gef install"
+10189 _syntax_ = f"{_cmdline_} SCRIPTNAME [SCRIPTNAME [SCRIPTNAME...]]"
+ +10191 def __init__(self) -> None:
+10192 super().__init__(self._cmdline_, gdb.COMMAND_SUPPORT, gdb.COMPLETE_NONE, False)
+10193 self.branch = gef.config.get("gef.extras_default_branch", GEF_EXTRAS_DEFAULT_BRANCH)
+10194 return
+ +10196 def invoke(self, argv: str, from_tty: bool) -> None:
+10197 self.dont_repeat()
+10198 if not argv: 10198 ↛ 10199line 10198 didn't jump to line 10199, because the condition on line 10198 was never true
+10199 err("No script name provided")
+10200 return
+ +10202 args = argv.split()
+ +10204 if "--list" in args or "-l" in args: 10204 ↛ 10205line 10204 didn't jump to line 10205, because the condition on line 10204 was never true
+10205 subprocess.run(["xdg-open", f"https://github.com/hugsy/gef-extras/{self.branch}/"])
+10206 return
+ +10208 self.dirpath = pathlib.Path(gef.config["gef.tempdir"]).expanduser().absolute()
+10209 if not self.dirpath.is_dir(): 10209 ↛ 10210line 10209 didn't jump to line 10210, because the condition on line 10209 was never true
+10210 err("'gef.tempdir' is not a valid directory")
+10211 return
+ +10213 for script in args:
+10214 script = script.lower()
+10215 if not self.__install_extras_script(script): 10215 ↛ 10216line 10215 didn't jump to line 10216, because the condition on line 10215 was never true
+10216 warn(f"Failed to install '{script}', skipping...")
+10217 return
+ + +10220 def __install_extras_script(self, script: str) -> bool:
+10221 fpath = self.dirpath / f"{script}.py"
+10222 if not fpath.exists(): 10222 ↛ 10234line 10222 didn't jump to line 10234, because the condition on line 10222 was never false
+10223 url = f"https://raw.githubusercontent.com/hugsy/gef-extras/{self.branch}/scripts/{script}.py"
+10224 info(f"Searching for '{script}.py' in `gef-extras@{self.branch}`...")
+10225 data = http_get(url)
+10226 if not data: 10226 ↛ 10227line 10226 didn't jump to line 10227, because the condition on line 10226 was never true
+10227 warn("Not found")
+10228 return False
+ +10230 with fpath.open("wb") as fd:
+10231 fd.write(data)
+10232 fd.flush()
+ +10234 old_command_set = set(gef.gdb.commands)
+10235 gdb.execute(f"source {fpath}")
+10236 new_command_set = set(gef.gdb.commands)
+10237 new_commands = [f"`{c[0]}`" for c in (new_command_set - old_command_set)]
+10238 ok(f"Installed file '{fpath}', new command(s) available: {', '.join(new_commands)}")
+10239 return True
+ + + +10243# GEF internal classes
+ + +10246def __gef_prompt__(current_prompt: Callable[[Callable], str]) -> str:
+10247 """GEF custom prompt function."""
+10248 if gef.config["gef.readline_compat"] is True: return GEF_PROMPT
+10249 if gef.config["gef.disable_color"] is True: return GEF_PROMPT
+10250 prompt = ""
+10251 if gef.session.remote:
+10252 prompt += Color.boldify("(remote) ")
+10253 prompt += GEF_PROMPT_ON if is_alive() else GEF_PROMPT_OFF
+10254 return prompt
+ + +10257class GefManager(metaclass=abc.ABCMeta):
+10258 def reset_caches(self) -> None:
+10259 """Reset the LRU-cached attributes"""
+10260 for attr in dir(self):
+10261 try:
+10262 obj = getattr(self, attr)
+10263 if not hasattr(obj, "cache_clear"): 10263 ↛ 10265line 10263 didn't jump to line 10265, because the condition on line 10263 was never false
+10264 continue
+10265 obj.cache_clear()
+10266 except: # we're reseting the cache here, we don't care if (or which) exception triggers
+10267 continue
+10268 return
+ + +10271class GefMemoryManager(GefManager):
+10272 """Class that manages memory access for gef."""
+10273 def __init__(self) -> None:
+10274 self.reset_caches()
+10275 return
+ +10277 def reset_caches(self) -> None:
+10278 super().reset_caches()
+10279 self.__maps = None
+10280 return
+ +10282 def write(self, address: int, buffer: ByteString, length: Optional[int] = None) -> None:
+10283 """Write `buffer` at address `address`."""
+10284 length = length or len(buffer)
+10285 gdb.selected_inferior().write_memory(address, buffer, length)
+ +10287 def read(self, addr: int, length: int = 0x10) -> bytes:
+10288 """Return a `length` long byte array with the copy of the process memory at `addr`."""
+10289 return gdb.selected_inferior().read_memory(addr, length).tobytes()
+ +10291 def read_integer(self, addr: int) -> int:
+10292 """Return an integer read from memory."""
+10293 sz = gef.arch.ptrsize
+10294 mem = self.read(addr, sz)
+10295 unpack = u32 if sz == 4 else u64
+10296 return unpack(mem)
+ +10298 def read_cstring(self,
+10299 address: int,
+10300 max_length: int = GEF_MAX_STRING_LENGTH,
+10301 encoding: Optional[str] = None) -> str:
+10302 """Return a C-string read from memory."""
+10303 encoding = encoding or "unicode-escape"
+10304 length = min(address | (DEFAULT_PAGE_SIZE-1), max_length+1)
+ +10306 try:
+10307 res_bytes = self.read(address, length)
+10308 except gdb.error:
+10309 err(f"Can't read memory at '{address}'")
+10310 return ""
+10311 try:
+10312 with warnings.catch_warnings():
+10313 # ignore DeprecationWarnings (see #735)
+10314 warnings.simplefilter("ignore")
+10315 res = res_bytes.decode(encoding, "strict")
+10316 except UnicodeDecodeError:
+10317 # latin-1 as fallback due to its single-byte to glyph mapping
+10318 res = res_bytes.decode("latin-1", "replace")
+ +10320 res = res.split("\x00", 1)[0]
+10321 ustr = res.replace("\n", "\\n").replace("\r", "\\r").replace("\t", "\\t")
+10322 if max_length and len(res) > max_length:
+10323 return f"{ustr[:max_length]}[...]"
+10324 return ustr
+ +10326 def read_ascii_string(self, address: int) -> Optional[str]:
+10327 """Read an ASCII string from memory"""
+10328 cstr = self.read_cstring(address)
+10329 if isinstance(cstr, str) and cstr and all(x in string.printable for x in cstr):
+10330 return cstr
+10331 return None
+ +10333 @property
+10334 def maps(self) -> List[Section]:
+10335 if not self.__maps:
+10336 self.__maps = self.__parse_maps()
+10337 return self.__maps
+ +10339 def __parse_maps(self) -> List[Section]:
+10340 """Return the mapped memory sections"""
+10341 try:
+10342 if is_qemu_system(): 10342 ↛ 10343line 10342 didn't jump to line 10343, because the condition on line 10342 was never true
+10343 return list(self.__parse_info_mem())
+10344 except gdb.error:
+10345 # Target may not support this command
+10346 pass
+10347 try:
+10348 return list(self.__parse_procfs_maps())
+10349 except FileNotFoundError:
+10350 return list(self.__parse_gdb_info_sections())
+ +10352 def __parse_procfs_maps(self) -> Generator[Section, None, None]:
+10353 """Get the memory mapping from procfs."""
+10354 procfs_mapfile = gef.session.maps
+10355 if not procfs_mapfile:
+10356 is_remote = gef.session.remote is not None
+10357 raise FileNotFoundError(f"Missing {'remote ' if is_remote else ''}procfs map file")
+10358 with procfs_mapfile.open("r") as fd:
+10359 for line in fd:
+10360 line = line.strip()
+10361 addr, perm, off, _, rest = line.split(" ", 4)
+10362 rest = rest.split(" ", 1)
+10363 if len(rest) == 1:
+10364 inode = rest[0]
+10365 pathname = ""
+10366 else:
+10367 inode = rest[0]
+10368 pathname = rest[1].lstrip()
+ +10370 addr_start, addr_end = parse_string_range(addr)
+10371 off = int(off, 16)
+10372 perm = Permission.from_process_maps(perm)
+10373 inode = int(inode)
+10374 yield Section(page_start=addr_start,
+10375 page_end=addr_end,
+10376 offset=off,
+10377 permission=perm,
+10378 inode=inode,
+10379 path=pathname)
+10380 return
+ +10382 def __parse_gdb_info_sections(self) -> Generator[Section, None, None]:
+10383 """Get the memory mapping from GDB's command `maintenance info sections` (limited info)."""
+10384 stream = StringIO(gdb.execute("maintenance info sections", to_string=True))
+ +10386 for line in stream:
+10387 if not line: 10387 ↛ 10388line 10387 didn't jump to line 10388, because the condition on line 10387 was never true
+10388 break
+ +10390 try:
+10391 parts = [x for x in line.split()]
+10392 addr_start, addr_end = [int(x, 16) for x in parts[1].split("->")]
+10393 off = int(parts[3][:-1], 16)
+10394 path = parts[4]
+10395 perm = Permission.from_info_sections(parts[5:])
+10396 yield Section(
+10397 page_start=addr_start,
+10398 page_end=addr_end,
+10399 offset=off,
+10400 permission=perm,
+10401 inode="",
+10402 path=path
+10403 )
+ +10405 except IndexError: 10405 ↛ 10406line 10405 didn't jump to line 10406, because the exception caught by line 10405 didn't happen
+10406 continue
+10407 except ValueError:
+10408 continue
+10409 return
+ +10411 def __parse_info_mem(self) -> Generator[Section, None, None]:
+10412 """Get the memory mapping from GDB's command `monitor info mem`"""
+10413 for line in StringIO(gdb.execute("monitor info mem", to_string=True)):
+10414 if not line:
+10415 break
+10416 try:
+10417 ranges, off, perms = line.split()
+10418 off = int(off, 16)
+10419 start, end = [int(s, 16) for s in ranges.split("-")]
+10420 except ValueError as e:
+10421 continue
+ +10423 perm = Permission.from_info_mem(perms)
+10424 yield Section(
+10425 page_start=start,
+10426 page_end=end,
+10427 offset=off,
+10428 permission=perm,
+10429 inode="",
+10430 )
+ + +10433class GefHeapManager(GefManager):
+10434 """Class managing session heap."""
+10435 def __init__(self) -> None:
+10436 self.reset_caches()
+10437 return
+ +10439 def reset_caches(self) -> None:
+10440 self.__libc_main_arena: Optional[GlibcArena] = None
+10441 self.__libc_selected_arena: Optional[GlibcArena] = None
+10442 self.__heap_base = None
+10443 return
+ +10445 @property
+10446 def main_arena(self) -> Optional[GlibcArena]:
+10447 if not self.__libc_main_arena:
+10448 try:
+10449 __main_arena_addr = GefHeapManager.find_main_arena_addr()
+10450 self.__libc_main_arena = GlibcArena(f"*{__main_arena_addr:#x}")
+10451 # the initialization of `main_arena` also defined `selected_arena`, so
+10452 # by default, `main_arena` == `selected_arena`
+10453 self.selected_arena = self.__libc_main_arena
+10454 except:
+10455 # the search for arena can fail when the session is not started
+10456 pass
+10457 return self.__libc_main_arena
+ +10459 @main_arena.setter
+10460 def main_arena(self, value: GlibcArena) -> None:
+10461 self.__libc_main_arena = value
+10462 return
+ +10464 @staticmethod
+10465 @lru_cache()
+10466 def find_main_arena_addr() -> int:
+10467 assert gef.libc.version
+10468 """A helper function to find the glibc `main_arena` address, either from
+10469 symbol, from its offset from `__malloc_hook` or by brute force."""
+10470 # Before anything else, use libc offset from config if available
+10471 if gef.config["gef.main_arena_offset"]: 10471 ↛ 10472line 10471 didn't jump to line 10472, because the condition on line 10471 was never true
+10472 try:
+10473 libc_base = get_section_base_address("libc")
+10474 offset = parse_address(gef.config["gef.main_arena_offset"])
+10475 if libc_base:
+10476 dbg(f"Using main_arena_offset={offset:#x} from config")
+10477 addr = libc_base + offset
+ +10479 # Verify the found address before returning
+10480 if GlibcArena.verify(addr):
+10481 return addr
+10482 except gdb.error:
+10483 pass
+ +10485 # First, try to find `main_arena` symbol directly
+10486 try:
+10487 return parse_address(f"&{LIBC_HEAP_MAIN_ARENA_DEFAULT_NAME}")
+10488 except gdb.error:
+10489 pass
+ +10491 # Second, try to find it by offset from `__malloc_hook`
+10492 if gef.libc.version < (2, 34):
+10493 try:
+10494 malloc_hook_addr = parse_address("(void *)&__malloc_hook")
+ +10496 struct_size = ctypes.sizeof(GlibcArena.malloc_state_t())
+ +10498 if is_x86():
+10499 addr = align_address_to_size(malloc_hook_addr + gef.arch.ptrsize, 0x20)
+10500 elif is_arch(Elf.Abi.AARCH64):
+10501 addr = malloc_hook_addr - gef.arch.ptrsize*2 - struct_size
+10502 elif is_arch(Elf.Abi.ARM):
+10503 addr = malloc_hook_addr - gef.arch.ptrsize - struct_size
+10504 else:
+10505 addr = None
+ +10507 # Verify the found address before returning
+10508 if addr and GlibcArena.verify(addr):
+10509 return addr
+ +10511 except gdb.error:
+10512 pass
+ +10514 # Last resort, try to find it via brute force if enabled in settings
+10515 if gef.config["gef.bruteforce_main_arena"]:
+10516 alignment = 0x8
+10517 try:
+10518 dbg("Trying to bruteforce main_arena address")
+10519 # setup search_range for `main_arena` to `.data` of glibc
+10520 search_filter = lambda f: "libc" in f.filename and f.name == ".data"
+10521 dotdata = list(filter(search_filter, get_info_files()))[0]
+10522 search_range = range(dotdata.zone_start, dotdata.zone_end, alignment)
+10523 # find first possible candidate
+10524 for addr in search_range:
+10525 if GlibcArena.verify(addr):
+10526 dbg(f"Found candidate at {addr:#x}")
+10527 return addr
+10528 dbg("Bruteforce not successful")
+10529 except Exception:
+10530 pass
+ +10532 # Nothing helped
+10533 err_msg = f"Cannot find main_arena for {gef.arch.arch}. You might want to set a manually found libc offset "
+10534 if not gef.config["gef.bruteforce_main_arena"]:
+10535 err_msg += "or allow bruteforcing "
+10536 err_msg += "through the GEF config."
+10537 raise OSError(err_msg)
+ +10539 @property
+10540 def selected_arena(self) -> Optional[GlibcArena]:
+10541 if not self.__libc_selected_arena: 10541 ↛ 10543line 10541 didn't jump to line 10543, because the condition on line 10541 was never true
+10542 # `selected_arena` must default to `main_arena`
+10543 self.__libc_selected_arena = self.main_arena
+10544 return self.__libc_selected_arena
+ +10546 @selected_arena.setter
+10547 def selected_arena(self, value: GlibcArena) -> None:
+10548 self.__libc_selected_arena = value
+10549 return
+ +10551 @property
+10552 def arenas(self) -> Union[List, Iterator[GlibcArena]]:
+10553 if not self.main_arena: 10553 ↛ 10554line 10553 didn't jump to line 10554, because the condition on line 10553 was never true
+10554 return []
+10555 return iter(self.main_arena)
+ +10557 @property
+10558 def base_address(self) -> Optional[int]:
+10559 if not self.__heap_base:
+10560 base = 0
+10561 try:
+10562 base = parse_address("mp_->sbrk_base")
+10563 base = self.malloc_align_address(base)
+10564 except gdb.error:
+10565 # missing symbol, try again
+10566 base = 0
+10567 if not base: 10567 ↛ 10568line 10567 didn't jump to line 10568, because the condition on line 10567 was never true
+10568 base = get_section_base_address("[heap]")
+10569 self.__heap_base = base
+10570 return self.__heap_base
+ +10572 @property
+10573 def chunks(self) -> Union[List, Iterator]:
+10574 if not self.base_address:
+10575 return []
+10576 return iter(GlibcChunk(self.base_address, from_base=True))
+ +10578 @property
+10579 def min_chunk_size(self) -> int:
+10580 return 4 * gef.arch.ptrsize
+ +10582 @property
+10583 def malloc_alignment(self) -> int:
+10584 assert gef.libc.version
+10585 __default_malloc_alignment = 0x10
+10586 if gef.libc.version >= (2, 26) and is_x86_32(): 10586 ↛ 10589line 10586 didn't jump to line 10589, because the condition on line 10586 was never true
+10587 # Special case introduced in Glibc 2.26:
+10588 # https://elixir.bootlin.com/glibc/glibc-2.26/source/sysdeps/i386/malloc-alignment.h#L22
+10589 return __default_malloc_alignment
+10590 # Generic case:
+10591 # https://elixir.bootlin.com/glibc/glibc-2.26/source/sysdeps/generic/malloc-alignment.h#L22
+10592 return 2 * gef.arch.ptrsize
+ +10594 def csize2tidx(self, size: int) -> int:
+10595 return abs((size - self.min_chunk_size + self.malloc_alignment - 1)) // self.malloc_alignment
+ +10597 def tidx2size(self, idx: int) -> int:
+10598 return idx * self.malloc_alignment + self.min_chunk_size
+ +10600 def malloc_align_address(self, address: int) -> int:
+10601 """Align addresses according to glibc's MALLOC_ALIGNMENT. See also Issue #689 on Github"""
+10602 malloc_alignment = self.malloc_alignment
+10603 ceil = lambda n: int(-1 * n // 1 * -1)
+10604 return malloc_alignment * ceil((address / malloc_alignment))
+ + +10607class GefSetting:
+10608 """Basic class for storing gef settings as objects"""
+10609 READ_ACCESS = 0
+10610 WRITE_ACCESS = 1
+ +10612 def __init__(self, value: Any, cls: Optional[type] = None, description: Optional[str] = None, hooks: Optional[Dict[str, Callable]] = None) -> None:
+10613 self.value = value
+10614 self.type = cls or type(value)
+10615 self.description = description or ""
+10616 self.hooks: Tuple[List[Callable], List[Callable]] = ([], [])
+10617 if hooks:
+10618 for access, func in hooks.items():
+10619 if access == "on_read": 10619 ↛ 10620line 10619 didn't jump to line 10620, because the condition on line 10619 was never true
+10620 idx = GefSetting.READ_ACCESS
+10621 elif access == "on_write": 10621 ↛ 10624line 10621 didn't jump to line 10624, because the condition on line 10621 was never false
+10622 idx = GefSetting.WRITE_ACCESS
+10623 else:
+10624 raise ValueError
+10625 if not callable(func): 10625 ↛ 10626line 10625 didn't jump to line 10626, because the condition on line 10625 was never true
+10626 raise ValueError(f"hook is not callable")
+10627 self.hooks[idx].append(func)
+10628 return
+ +10630 def __str__(self) -> str:
+10631 return f"Setting(type={self.type.__name__}, value='{self.value}', desc='{self.description[:10]}...', "\
+10632 f"read_hooks={len(self.hooks[GefSetting.READ_ACCESS])}, write_hooks={len(self.hooks[GefSetting.READ_ACCESS])})"
+ + +10635class GefSettingsManager(dict):
+10636 """
+10637 GefSettings acts as a dict where the global settings are stored and can be read, written or deleted as any other dict.
+10638 For instance, to read a specific command setting: `gef.config[mycommand.mysetting]`
+10639 """
+10640 def __getitem__(self, name: str) -> Any:
+10641 setting : GefSetting = super().__getitem__(name)
+10642 self.__invoke_read_hooks(setting)
+10643 return setting.value
+ +10645 def __setitem__(self, name: str, value: Any) -> None:
+10646 # check if the key exists
+10647 if super().__contains__(name):
+10648 # if so, update its value directly
+10649 setting = super().__getitem__(name)
+10650 if not isinstance(setting, GefSetting): raise ValueError 10650 ↛ exitline 10650 didn't except from function '__setitem__', because the raise on line 10650 wasn't executed
+10651 setting.value = setting.type(value)
+10652 else:
+10653 # if not, `value` must be a GefSetting
+10654 if not isinstance(value, GefSetting): raise Exception("Invalid argument") 10654 ↛ exitline 10654 didn't except from function '__setitem__', because the raise on line 10654 wasn't executed
+10655 if not value.type: raise Exception("Invalid type") 10655 ↛ exitline 10655 didn't except from function '__setitem__', because the raise on line 10655 wasn't executed
+10656 if not value.description: raise Exception("Invalid description") 10656 ↛ exitline 10656 didn't except from function '__setitem__', because the raise on line 10656 wasn't executed
+10657 setting = value
+10658 super().__setitem__(name, setting)
+10659 self.__invoke_write_hooks(setting)
+10660 return
+ +10662 def __delitem__(self, name: str) -> None:
+10663 super().__delitem__(name)
+10664 return
+ +10666 def raw_entry(self, name: str) -> GefSetting:
+10667 return super().__getitem__(name)
+ +10669 def __invoke_read_hooks(self, setting: GefSetting) -> None:
+10670 self.__invoke_hooks(is_write=False, setting=setting)
+10671 return
+ +10673 def __invoke_write_hooks(self, setting: GefSetting) -> None:
+10674 self.__invoke_hooks(is_write=True, setting=setting)
+10675 return
+ +10677 def __invoke_hooks(self, is_write: bool, setting: GefSetting) -> None:
+10678 if not setting.hooks: 10678 ↛ 10679line 10678 didn't jump to line 10679, because the condition on line 10678 was never true
+10679 return
+10680 idx = int(is_write)
+10681 if setting.hooks[idx]:
+10682 for callback in setting.hooks[idx]:
+10683 callback()
+10684 return
+ + +10687class GefSessionManager(GefManager):
+10688 """Class managing the runtime properties of GEF. """
+10689 def __init__(self) -> None:
+10690 self.reset_caches()
+10691 self.remote: Optional["GefRemoteSessionManager"] = None
+10692 self.remote_initializing: bool = False
+10693 self.qemu_mode: bool = False
+10694 self.convenience_vars_index: int = 0
+10695 self.heap_allocated_chunks: List[Tuple[int, int]] = []
+10696 self.heap_freed_chunks: List[Tuple[int, int]] = []
+10697 self.heap_uaf_watchpoints: List[UafWatchpoint] = []
+10698 self.pie_breakpoints: Dict[int, PieVirtualBreakpoint] = {}
+10699 self.pie_counter: int = 1
+10700 self.aliases: List[GefAlias] = []
+10701 self.modules: List[FileFormat] = []
+10702 self.constants = {} # a dict for runtime constants (like 3rd party file paths)
+10703 for constant in ("python3", "readelf", "file", "ps"):
+10704 self.constants[constant] = which(constant)
+10705 return
+ +10707 def reset_caches(self) -> None:
+10708 super().reset_caches()
+10709 self._auxiliary_vector = None
+10710 self._pagesize = None
+10711 self._os = None
+10712 self._pid = None
+10713 self._file = None
+10714 self._maps: Optional[pathlib.Path] = None
+10715 self._root: Optional[pathlib.Path] = None
+10716 return
+ +10718 def __str__(self) -> str:
+10719 return f"Session({'Local' if self.remote is None else 'Remote'}, pid={self.pid or 'Not running'}, os='{self.os}')"
+ +10721 @property
+10722 def auxiliary_vector(self) -> Optional[Dict[str, int]]:
+10723 if not is_alive():
+10724 return None
+10725 if is_qemu_system(): 10725 ↛ 10726line 10725 didn't jump to line 10726, because the condition on line 10725 was never true
+10726 return None
+10727 if not self._auxiliary_vector:
+10728 auxiliary_vector = {}
+10729 auxv_info = gdb.execute("info auxv", to_string=True)
+10730 if not auxv_info or "failed" in auxv_info: 10730 ↛ 10731line 10730 didn't jump to line 10731, because the condition on line 10730 was never true
+10731 err("Failed to query auxiliary variables")
+10732 return None
+10733 for line in auxv_info.splitlines():
+10734 line = line.split('"')[0].strip() # remove the ending string (if any)
+10735 line = line.split() # split the string by whitespace(s)
+10736 if len(line) < 4: 10736 ↛ 10737line 10736 didn't jump to line 10737, because the condition on line 10736 was never true
+10737 continue
+10738 __av_type = line[1]
+10739 __av_value = line[-1]
+10740 auxiliary_vector[__av_type] = int(__av_value, base=0)
+10741 self._auxiliary_vector = auxiliary_vector
+10742 return self._auxiliary_vector
+ +10744 @property
+10745 def os(self) -> str:
+10746 """Return the current OS."""
+10747 if not self._os:
+10748 self._os = platform.system().lower()
+10749 return self._os
+ +10751 @property
+10752 def pid(self) -> int:
+10753 """Return the PID of the target process."""
+10754 if not self._pid:
+10755 pid = gdb.selected_inferior().pid if not gef.session.qemu_mode else gdb.selected_thread().ptid[1]
+10756 if not pid:
+10757 raise RuntimeError("cannot retrieve PID for target process")
+10758 self._pid = pid
+10759 return self._pid
+ +10761 @property
+10762 def file(self) -> Optional[pathlib.Path]:
+10763 """Return a Path object of the target process."""
+10764 if gef.session.remote is not None:
+10765 return gef.session.remote.file
+10766 fpath: str = gdb.current_progspace().filename
+10767 if fpath and not self._file:
+10768 self._file = pathlib.Path(fpath).expanduser()
+10769 return self._file
+ +10771 @property
+10772 def cwd(self) -> Optional[pathlib.Path]:
+10773 if gef.session.remote is not None:
+10774 return gef.session.remote.root
+10775 return self.file.parent if self.file else None
+ +10777 @property
+10778 def pagesize(self) -> int:
+10779 """Get the system page size"""
+10780 auxval = self.auxiliary_vector
+10781 if not auxval:
+10782 return DEFAULT_PAGE_SIZE
+10783 self._pagesize = auxval["AT_PAGESZ"]
+10784 return self._pagesize
+ +10786 @property
+10787 def canary(self) -> Optional[Tuple[int, int]]:
+10788 """Return a tuple of the canary address and value, read from the canonical
+10789 location if supported by the architecture. Otherwise, read from the auxiliary
+10790 vector."""
+10791 try:
+10792 canary_location = gef.arch.canary_address()
+10793 canary = gef.memory.read_integer(canary_location)
+10794 except NotImplementedError:
+10795 # Fall back to `AT_RANDOM`, which is the original source
+10796 # of the canary value but not the canonical location
+10797 return self.original_canary
+10798 return canary, canary_location
+ +10800 @property
+10801 def original_canary(self) -> Optional[Tuple[int, int]]:
+10802 """Return a tuple of the initial canary address and value, read from the
+10803 auxiliary vector."""
+10804 auxval = self.auxiliary_vector
+10805 if not auxval:
+10806 return None
+10807 canary_location = auxval["AT_RANDOM"]
+10808 canary = gef.memory.read_integer(canary_location)
+10809 canary &= ~0xFF
+10810 return canary, canary_location
+ + +10813 @property
+10814 def maps(self) -> Optional[pathlib.Path]:
+10815 """Returns the Path to the procfs entry for the memory mapping."""
+10816 if not is_alive():
+10817 return None
+10818 if not self._maps:
+10819 if gef.session.remote is not None:
+10820 self._maps = gef.session.remote.maps
+10821 else:
+10822 self._maps = pathlib.Path(f"/proc/{self.pid}/maps")
+10823 return self._maps
+ +10825 @property
+10826 def root(self) -> Optional[pathlib.Path]:
+10827 """Returns the path to the process's root directory."""
+10828 if not is_alive():
+10829 return None
+10830 if not self._root:
+10831 self._root = pathlib.Path(f"/proc/{self.pid}/root")
+10832 return self._root
+ +10834class GefRemoteSessionManager(GefSessionManager):
+10835 """Class for managing remote sessions with GEF. It will create a temporary environment
+10836 designed to clone the remote one."""
+10837 def __init__(self, host: str, port: int, pid: int =-1, qemu: Optional[pathlib.Path] = None) -> None:
+10838 super().__init__()
+10839 self.__host = host
+10840 self.__port = port
+10841 self.__local_root_fd = tempfile.TemporaryDirectory()
+10842 self.__local_root_path = pathlib.Path(self.__local_root_fd.name)
+10843 self.__qemu = qemu
+10844 dbg(f"[remote] initializing remote session with {self.target} under {self.root}")
+10845 if not self.connect(pid): 10845 ↛ 10846line 10845 didn't jump to line 10846, because the condition on line 10845 was never true
+10846 raise EnvironmentError(f"Cannot connect to remote target {self.target}")
+10847 if not self.setup(): 10847 ↛ 10848line 10847 didn't jump to line 10848, because the condition on line 10847 was never true
+10848 raise EnvironmentError(f"Failed to create a proper environment for {self.target}")
+10849 return
+ +10851 def close(self) -> None:
+10852 self.__local_root_fd.cleanup()
+10853 try:
+10854 gef_on_new_unhook(self.remote_objfile_event_handler)
+10855 gef_on_new_hook(new_objfile_handler)
+10856 except Exception as e:
+10857 warn(f"Exception while restoring local context: {str(e)}")
+10858 return
+ +10860 def in_qemu_user(self) -> bool:
+10861 return self.__qemu is not None
+ +10863 def __str__(self) -> str:
+10864 return f"RemoteSession(target='{self.target}', local='{self.root}', pid={self.pid}, qemu_user={bool(self.in_qemu_user())})"
+ +10866 @property
+10867 def target(self) -> str:
+10868 return f"{self.__host}:{self.__port}"
+ +10870 @property
+10871 def root(self) -> pathlib.Path:
+10872 return self.__local_root_path.absolute()
+ +10874 @property
+10875 def file(self) -> pathlib.Path:
+10876 """Path to the file being debugged as seen by the remote endpoint."""
+10877 if not self._file:
+10878 filename = gdb.current_progspace().filename
+10879 if not filename: 10879 ↛ 10880line 10879 didn't jump to line 10880, because the condition on line 10879 was never true
+10880 raise RuntimeError("No session started")
+10881 start_idx = len("target:") if filename.startswith("target:") else 0
+10882 self._file = pathlib.Path(filename[start_idx:])
+10883 return self._file
+ +10885 @property
+10886 def lfile(self) -> pathlib.Path:
+10887 """Local path to the file being debugged."""
+10888 return self.root / str(self.file).lstrip("/")
+ +10890 @property
+10891 def maps(self) -> pathlib.Path:
+10892 if not self._maps:
+10893 self._maps = self.root / f"proc/{self.pid}/maps"
+10894 return self._maps
+ +10896 def sync(self, src: str, dst: Optional[str] = None) -> bool:
+10897 """Copy the `src` into the temporary chroot. If `dst` is provided, that path will be
+10898 used instead of `src`."""
+10899 if not dst:
+10900 dst = src
+10901 tgt = self.root / dst.lstrip("/")
+10902 if tgt.exists(): 10902 ↛ 10903line 10902 didn't jump to line 10903, because the condition on line 10902 was never true
+10903 return True
+10904 tgt.parent.mkdir(parents=True, exist_ok=True)
+10905 dbg(f"[remote] downloading '{src}' -> '{tgt}'")
+10906 gdb.execute(f"remote get {src} {tgt.absolute()}")
+10907 return tgt.exists()
+ +10909 def connect(self, pid: int) -> bool:
+10910 """Connect to remote target. If in extended mode, also attach to the given PID."""
+10911 # before anything, register our new hook to download files from the remote target
+10912 dbg(f"[remote] Installing new objfile handlers")
+10913 gef_on_new_unhook(new_objfile_handler)
+10914 gef_on_new_hook(self.remote_objfile_event_handler)
+ +10916 # then attempt to connect
+10917 is_extended_mode = (pid > -1)
+10918 dbg(f"[remote] Enabling extended remote: {bool(is_extended_mode)}")
+10919 try:
+10920 with DisableContextOutputContext():
+10921 cmd = f"target {'extended-' if is_extended_mode else ''}remote {self.target}"
+10922 dbg(f"[remote] Executing '{cmd}'")
+10923 gdb.execute(cmd)
+10924 if is_extended_mode: 10924 ↛ 10925line 10924 didn't jump to line 10925, because the condition on line 10924 was never true
+10925 gdb.execute(f"attach {pid:d}")
+10926 return True
+10927 except Exception as e:
+10928 err(f"Failed to connect to {self.target}: {e}")
+ +10930 # a failure will trigger the cleanup, deleting our hook anyway
+10931 return False
+ +10933 def setup(self) -> bool:
+10934 # setup remote adequately depending on remote or qemu mode
+10935 if self.in_qemu_user():
+10936 dbg(f"Setting up as qemu session, target={self.__qemu}")
+10937 self.__setup_qemu()
+10938 else:
+10939 dbg(f"Setting up as remote session")
+10940 self.__setup_remote()
+ +10942 # refresh gef to consider the binary
+10943 reset_all_caches()
+10944 gef.binary = Elf(self.lfile)
+10945 reset_architecture()
+10946 return True
+ +10948 def __setup_qemu(self) -> bool:
+10949 # setup emulated file in the chroot
+10950 assert self.__qemu
+10951 target = self.root / str(self.__qemu.parent).lstrip("/")
+10952 target.mkdir(parents=True, exist_ok=False)
+10953 shutil.copy2(self.__qemu, target)
+10954 self._file = self.__qemu
+10955 assert self.lfile.exists()
+ +10957 # create a procfs
+10958 procfs = self.root / f"proc/{self.pid}/"
+10959 procfs.mkdir(parents=True, exist_ok=True)
+ +10961 ## /proc/pid/cmdline
+10962 cmdline = procfs / "cmdline"
+10963 if not cmdline.exists(): 10963 ↛ 10968line 10963 didn't jump to line 10968, because the condition on line 10963 was never false
+10964 with cmdline.open("w") as fd:
+10965 fd.write("")
+ +10967 ## /proc/pid/environ
+10968 environ = procfs / "environ"
+10969 if not environ.exists(): 10969 ↛ 10974line 10969 didn't jump to line 10974, because the condition on line 10969 was never false
+10970 with environ.open("wb") as fd:
+10971 fd.write(b"PATH=/bin\x00HOME=/tmp\x00")
+ +10973 ## /proc/pid/maps
+10974 maps = procfs / "maps"
+10975 if not maps.exists(): 10975 ↛ 10980line 10975 didn't jump to line 10980, because the condition on line 10975 was never false
+10976 with maps.open("w") as fd:
+10977 fname = self.file.absolute()
+10978 mem_range = "00000000-ffffffff" if is_32bit() else "0000000000000000-ffffffffffffffff"
+10979 fd.write(f"{mem_range} rwxp 00000000 00:00 0 {fname}\n")
+10980 return True
+ +10982 def __setup_remote(self) -> bool:
+10983 # get the file
+10984 fpath = f"/proc/{self.pid}/exe"
+10985 if not self.sync(fpath, str(self.file)): 10985 ↛ 10986line 10985 didn't jump to line 10986, because the condition on line 10985 was never true
+10986 err(f"'{fpath}' could not be fetched on the remote system.")
+10987 return False
+ +10989 # pseudo procfs
+10990 for _file in ("maps", "environ", "cmdline"):
+10991 fpath = f"/proc/{self.pid}/{_file}"
+10992 if not self.sync(fpath): 10992 ↛ 10993line 10992 didn't jump to line 10993, because the condition on line 10992 was never true
+10993 err(f"'{fpath}' could not be fetched on the remote system.")
+10994 return False
+ +10996 # makeup a fake mem mapping in case we failed to retrieve it
+10997 maps = self.root / f"proc/{self.pid}/maps"
+10998 if not maps.exists(): 10998 ↛ 10999line 10998 didn't jump to line 10999, because the condition on line 10998 was never true
+10999 with maps.open("w") as fd:
+11000 fname = self.file.absolute()
+11001 mem_range = "00000000-ffffffff" if is_32bit() else "0000000000000000-ffffffffffffffff"
+11002 fd.write(f"{mem_range} rwxp 00000000 00:00 0 {fname}\n")
+11003 return True
+ +11005 def remote_objfile_event_handler(self, evt: "gdb.NewObjFileEvent") -> None:
+11006 dbg(f"[remote] in remote_objfile_handler({evt.new_objfile.filename if evt else 'None'}))")
+11007 if not evt or not evt.new_objfile.filename: 11007 ↛ 11008line 11007 didn't jump to line 11008, because the condition on line 11007 was never true
+11008 return
+11009 if not evt.new_objfile.filename.startswith("target:") and not evt.new_objfile.filename.startswith("/"):
+11010 warn(f"[remote] skipping '{evt.new_objfile.filename}'")
+11011 return
+11012 if evt.new_objfile.filename.startswith("target:"):
+11013 src: str = evt.new_objfile.filename[len("target:"):]
+11014 if not self.sync(src): 11014 ↛ 11015line 11014 didn't jump to line 11015, because the condition on line 11014 was never true
+11015 raise FileNotFoundError(f"Failed to sync '{src}'")
+11016 return
+ + +11019class GefUiManager(GefManager):
+11020 """Class managing UI settings."""
+11021 def __init__(self) -> None:
+11022 self.redirect_fd : Optional[TextIOWrapper] = None
+11023 self.context_hidden = False
+11024 self.stream_buffer : Optional[StringIO] = None
+11025 self.highlight_table: Dict[str, str] = {}
+11026 self.watches: Dict[int, Tuple[int, str]] = {}
+11027 self.context_messages: List[Tuple[str, str]] = []
+11028 return
+ + +11031class GefLibcManager(GefManager):
+11032 """Class managing everything libc-related (except heap)."""
+11033 def __init__(self) -> None:
+11034 self._version : Optional[Tuple[int, int]] = None
+11035 return
+ +11037 def __str__(self) -> str:
+11038 return f"Libc(version='{self.version}')"
+ +11040 @property
+11041 def version(self) -> Optional[Tuple[int, int]]:
+11042 if not is_alive(): 11042 ↛ 11043line 11042 didn't jump to line 11043, because the condition on line 11042 was never true
+11043 return None
+11044 if not self._version:
+11045 self._version = GefLibcManager.find_libc_version()
+11046 return self._version
+ +11048 @staticmethod
+11049 @lru_cache()
+11050 def find_libc_version() -> Tuple[int, ...]:
+11051 sections = gef.memory.maps
+11052 for section in sections: 11052 ↛ 11065line 11052 didn't jump to line 11065, because the loop on line 11052 didn't complete
+11053 match = re.search(r"libc6?[-_](\d+)\.(\d+)\.so", section.path)
+11054 if match: 11054 ↛ 11055line 11054 didn't jump to line 11055, because the condition on line 11054 was never true
+11055 return tuple(int(_) for _ in match.groups())
+11056 if "libc" in section.path:
+11057 try:
+11058 with open(section.path, "rb") as f:
+11059 data = f.read()
+11060 except OSError:
+11061 continue
+11062 match = re.search(PATTERN_LIBC_VERSION, data)
+11063 if match: 11063 ↛ 11052line 11063 didn't jump to line 11052, because the condition on line 11063 was never false
+11064 return tuple(int(_) for _ in match.groups())
+11065 return 0, 0
+ + + + +11070class Gef:
+11071 """The GEF root class, which serves as a entrypoint for all the debugging session attributes (architecture,
+11072 memory, settings, etc.)."""
+11073 binary: Optional[FileFormat]
+11074 arch: Architecture
+11075 config : GefSettingsManager
+11076 ui: GefUiManager
+11077 libc: GefLibcManager
+11078 memory : GefMemoryManager
+11079 heap : GefHeapManager
+11080 session : GefSessionManager
+11081 gdb: GefCommand
+ +11083 def __init__(self) -> None:
+11084 self.binary: Optional[FileFormat] = None
+11085 self.arch: Architecture = GenericArchitecture() # see PR #516, will be reset by `new_objfile_handler`
+11086 self.config = GefSettingsManager()
+11087 self.ui = GefUiManager()
+11088 self.libc = GefLibcManager()
+11089 return
+ +11091 def __str__(self) -> str:
+11092 return f"Gef(binary='{self.binary or 'None'}', arch={self.arch})"
+ +11094 def reinitialize_managers(self) -> None:
+11095 """Reinitialize the managers. Avoid calling this function directly, using `pi reset()` is preferred"""
+11096 self.memory = GefMemoryManager()
+11097 self.heap = GefHeapManager()
+11098 self.session = GefSessionManager()
+11099 return
+ +11101 def setup(self) -> None:
+11102 """Setup initialize the runtime setup, which may require for the `gef` to be not None."""
+11103 self.reinitialize_managers()
+11104 self.gdb = GefCommand()
+11105 self.gdb.setup()
+11106 tempdir = self.config["gef.tempdir"]
+11107 gef_makedirs(tempdir)
+11108 gdb.execute(f"save gdb-index {tempdir}")
+11109 return
+ +11111 def reset_caches(self) -> None:
+11112 """Recursively clean the cache of all the managers. Avoid calling this function directly, using `reset-cache`
+11113 is preferred"""
+11114 for mgr in (self.memory, self.heap, self.session, self.arch):
+11115 mgr.reset_caches()
+11116 return
+ + +11119if __name__ == "__main__": 11119 ↛ exitline 11119 didn't jump to the function exit
+11120 if sys.version_info[0] == 2: 11120 ↛ 11121line 11120 didn't jump to line 11121, because the condition on line 11120 was never true
+11121 err("GEF has dropped Python2 support for GDB when it reached EOL on 2020/01/01.")
+11122 err("If you require GEF for GDB+Python2, use https://github.com/hugsy/gef-legacy.")
+11123 exit(1)
+ +11125 if GDB_VERSION < GDB_MIN_VERSION or PYTHON_VERSION < PYTHON_MIN_VERSION: 11125 ↛ 11126line 11125 didn't jump to line 11126, because the condition on line 11125 was never true
+11126 err("You're using an old version of GDB. GEF will not work correctly. "
+11127 f"Consider updating to GDB {'.'.join(map(str, GDB_MIN_VERSION))} or higher "
+11128 f"(with Python {'.'.join(map(str, PYTHON_MIN_VERSION))} or higher).")
+11129 exit(1)
+ +11131 try:
+11132 pyenv = which("pyenv")
+11133 PYENV_ROOT = gef_pystring(subprocess.check_output([pyenv, "root"]).strip())
+11134 PYENV_VERSION = gef_pystring(subprocess.check_output([pyenv, "version-name"]).strip())
+11135 site_packages_dir = os.path.join(PYENV_ROOT, "versions", PYENV_VERSION, "lib",
+11136 f"python{PYENV_VERSION[:3]}", "site-packages")
+11137 site.addsitedir(site_packages_dir)
+11138 except FileNotFoundError:
+11139 pass
+ +11141 # When using a Python virtual environment, GDB still loads the system-installed Python
+11142 # so GEF doesn't load site-packages dir from environment
+11143 # In order to fix it, from the shell with venv activated we run the python binary,
+11144 # take and parse its path, add the path to the current python process using sys.path.extend
+11145 PYTHONBIN = which("python3")
+11146 PREFIX = gef_pystring(subprocess.check_output([PYTHONBIN, '-c', 'import os, sys;print((sys.prefix))'])).strip("\\n")
+11147 if PREFIX != sys.base_prefix: 11147 ↛ 11148line 11147 didn't jump to line 11148, because the condition on line 11147 was never true
+11148 SITE_PACKAGES_DIRS = subprocess.check_output(
+11149 [PYTHONBIN, "-c", "import os, sys;print(os.linesep.join(sys.path).strip())"]).decode("utf-8").split()
+11150 sys.path.extend(SITE_PACKAGES_DIRS)
+ +11152 # setup config
+11153 gdb_initial_settings = (
+11154 "set confirm off",
+11155 "set verbose off",
+11156 "set pagination off",
+11157 "set print elements 0",
+11158 "set history save on",
+11159 f"set history filename {os.getenv('GDBHISTFILE', '~/.gdb_history')}",
+11160 "set output-radix 0x10",
+11161 "set print pretty on",
+11162 "set disassembly-flavor intel",
+11163 "handle SIGALRM print nopass",
+11164 )
+11165 for cmd in gdb_initial_settings:
+11166 try:
+11167 gdb.execute(cmd)
+11168 except gdb.error:
+11169 pass
+ +11171 # load GEF, set up the managers and load the plugins, functions,
+11172 reset()
+11173 gef.gdb.load()
+11174 gef.gdb.show_banner()
+ +11176 # load config
+11177 gef.gdb.load_extra_plugins()
+ +11179 # setup gdb prompt
+11180 gdb.prompt_hook = __gef_prompt__
+ +11182 # gdb events configuration
+11183 gef_on_continue_hook(continue_handler)
+11184 gef_on_stop_hook(hook_stop_handler)
+11185 gef_on_new_hook(new_objfile_handler)
+11186 gef_on_exit_hook(exit_handler)
+11187 gef_on_memchanged_hook(memchanged_handler)
+11188 gef_on_regchanged_hook(regchanged_handler)
+ +11190 progspace = gdb.current_progspace()
+11191 if progspace and progspace.filename: 11191 ↛ 11195line 11191 didn't jump to line 11195, because the condition on line 11191 was never false
+11192 # if here, we are sourcing gef from a gdb session already attached, force call to new_objfile (see issue #278)
+11193 new_objfile_handler(None)
+ +11195 GefTmuxSetup()
+ +11197 # `target remote` commands cannot be disabled, so print a warning message instead
+11198 errmsg = "Using `target remote` with GEF does not work, use `gef-remote` instead. You've been warned."
+11199 gdb.execute(f"define target hook-remote\n pi if calling_function() != \"connect\": err(\"{errmsg}\") \nend")
+11200 gdb.execute(f"define target hook-extended-remote\n pi if calling_function() != \"connect\": err(\"{errmsg}\") \nend")
+ +11202 # restore saved breakpoints (if any)
+11203 bkp_fpath = pathlib.Path(gef.config["gef.autosave_breakpoints_file"]).expanduser().absolute()
+11204 if bkp_fpath.exists() and bkp_fpath.is_file(): 11204 ↛ 11205line 11204 didn't jump to line 11205, because the condition on line 11204 was never true
+11205 gdb.execute(f"source {bkp_fpath}")
++ coverage.py v7.2.7, + created at 2023-08-01 03:12 +0000 +
+| Module | +statements | +missing | +excluded | +branches | +partial | +coverage | +
|---|---|---|---|---|---|---|
| gef.py | +7572 | +1827 | +0 | +2540 | +418 | +71.5684% | +
| Total | +7572 | +1827 | +0 | +2540 | +418 | +71.5684% | +
+ No items found using the specified filter. +
+GEF is in itself a large file, but to avoid it to be out of control some commands once part of GEF +were either moved to GEF-Extras or even simply removed. This +page aims to track those changes.
+| Command | +Status | +Since | +Link (if Applicable) | +Notes | +
|---|---|---|---|---|
cs-disassemble |
+Moved | +2022.06 | +Link | +Depends on capstone |
+
assemble |
+Moved | +2022.06 | +Link | +Depends on keystone |
+
emulate |
+Moved | +2022.06 | +Link | +Depends on unicorn and capstone |
+
set-permission |
+Moved | +2022.06 | +Link | +Depends on keystone |
+
ropper |
+Moved | +2022.06 | +Link | +Depends on ropper |
+
ida-interact |
+Moved | +2022.06 | +Link | +Depends on rpyc |
+
exploit-template |
+Moved | +c402900 | +Link | ++ |
windbg |
+Moved | +a933a5a | +Link | ++ |
is-syscall |
+Moved | +3f79fb38 | +Link | ++ |
syscall-args |
+Moved | +3f79fb38 | +Link | ++ |
PEDA is a fantastic tool that provides similar commands to make +the exploitation development process smoother.
+However, PEDA suffers from a major drawbacks, which the code is too fundamentally linked to Intel +architectures (x86-32 and x86-64). On the other hand, GEF not only supports all the architecture +supported by GDB (currently x86, ARM, AARCH64, MIPS, PowerPC, SPARC) but is designed to integrate +new architectures very easily as well!
+Also, PEDA development has been quite idle for a few years now, and many new interesting features a +debugger can provide simply do not exist.
+GDB was introduced with its Python support early 2011 with the release of GDB 7. A (very) long way +has gone since and the Python API has been massively improved, and GEF is taking advantage of them +to provide the coolest features with as little performance impact as possible.
+Currently, GEF is optimized for running against GDB version 8.0+, and Python 3.6+. This allows for a
+best performance and best use of the GDB Python API. However, GEF can run on older versions too,
+check out the version compatibility matrix. For really older versions of GDB, you can
+use gef-legacy which supports a lot of older GDB, and a
+Python 2/3 compatibility layer.
Therefore, it is highly recommended to run GEF with the latest version of GDB. However, all +functions should work on a GDB 8.0 and up. If not, send a bug +report and provide as much details as possible.
+If you are running an obsolete version, GEF will show a error and message and exit.
+Some pre-compiled static binaries for both recent GDB and GDBServer can be downloaded from the
+gdb-static repository.
GEF will work on any GDB 8+ compiled with Python 3.6+ support. You can view that commands that
+failed to load using gef missing, but this will not affect GEF generally.
If you experience problems setting it up on your host, first go to the Discord +channel for that. You will find great people there willing to help.
+Note that the GitHub issue section is to be used to report bugs and GEF issues (like +unexpected crash, improper error handling, weird edge case, etc.), not a place to ask for help.
+All recent distributions ship packaged GDB that should be ready-to-go, with a GDB >= 8.0 and Python
+3.6+. Any version higher or equal will work just fine. So you might actually only need to run apt
+install gdb to get the full-force of GEF.
A long standing bug in the readline library can make gef crash GDB when displaying certain
+characters (SOH/ETX). As a result, this would SIGSEGV GDB as gef is loading, a bit like this:
root@debian-aarch64:~# gdb -q ./test-bin-aarch64
+GEF ready, type `gef' to start, `gef config' to configure
+53 commands loaded, using Python engine 3.4
+[*] 5 commands could not be loaded, run `gef missing` to know why.
+[+] Configuration from '/root/.gef.rc' restored
+Reading symbols from ./bof-aarch64...(no debugging symbols found)...done.
+Segmentation fault (core dumped)
+If so, this can be fixed easily by setting the gef.readline_compat variable to True in the
+~/.gef.rc file. Something like this:
root@debian-aarch64:~# nano ~/.gef.rc
+[...]
+[gef]
+readline_compat = True
+You can now use all features of gef even on versions of GDB compiled against old readline
+library.
Definitely not! You can use any other GDB plugin on top of it for an even better debugging +experience.
+Some interesting plugins highly recommended too:
+
+Src: @rick2600: terminator + gdb + gef + voltron cc: @snare @hugsy
I would suggest thoroughly reading this documentation, just having a look to the +CONTRIBUTE file of the project to +give you pointers.
+Also a good thing would be to join our Discord channel to get in touch +with the people involved/using it.
+gef is only getting better through people (like you!) using it, but most importantly reporting
+unexpected behavior.
In most locations, Python exceptions will be properly intercepted. If not, gef wraps all commands
+with a generic exception handler, to disturb as little as possible your debugging session. If it
+happens, you'll only get to see a message like this:
+
By switching to debug mode, gef will give much more information:
gef➤ gef config gef.debug 1
+
If you think fixing it is in your skills, then send a Pull +Request with your patched version, explaining your bug, and +what was your solution for it.
+Otherwise, you can open an issue, give a thorough description +of your bug and copy/paste the content from above. This will greatly help for solving the issue.
+Chances are you are not using UTF-8. Python3 is highly relying on
+UTF-8 to display correctly characters of any alphabet
+and also some cool emojis. When GDB is
+compiled with Python3, GEF will assume that your current charset is UTF-8 (for instance,
+en_US.UTF-8). Use your $LANG environment variable to tweak this setting.
In addition, some unexpected results were observed when your local is not set to English. If you
+aren't sure, simply run gdb like this:
$ LC_ALL=en_US.UTF-8 gdb /path/to/your/binary
+gdb_exception_RETURN_MASK_ERRORThis issue is NOT GEF related, but GDB's, or more precisely some versions of GDB packaged with +Debian/Kali for ARM
+++Original Issue and Mitigation
+gdb version 7.12, as distributed w/ Raspbian/Kali rolling (only distro's +tested,) throws an exception while disassembling ARM binaries when using gef. +This is not a gef problem, this is a gdb problem. gef is just the tool that +revealed the gdb dain bramage! (The issue was not observed using vanilla +gdb/peda/pwndbg) This issue was first noted when using si to step through a +simple ARM assembly program (noted above) when instead of exiting cleanly, +gdb's disassembly failed with a SIGABRT and threw an exception:
++
gdb_exception_RETURN_MASK_ERRORThis turns out to be a known problem (regression) with gdb, and affects +gef users running the ARM platform (Raspberry Pi).
+The mitigation is for ARM users to compile gdb from source and run the latest +version, 8.1 as of this writing. +
+
Do not file an issue, again it is NOT a bug from GEF, or neither from GDB Python API. +Therefore, there is nothing GEF's developers can do about that. The correct solution as mentioned +above is to recompile your GDB with a newer (better) version.
+The whole topic was already internally discussed, so please refer to the [issue
+Discord is your answer: join and talk to us by clicking here
+If you cannot find the answer to your problem here or on the Discord, then go to the project Issues +page and fill up the forms with as much information as you +can!
+GEF can attach to a process running in a container using gdb --pid=$PID, where $PID is the ID of
+the running process on the host. To find this, you can use docker top <container ID> -o pid | awk
+'!/PID/' | xargs -I'{}' pstree -psa {} to view the process tree for the container.
sudo may be required to attach to the process, which will depend on your system's security
+settings.
Please note that cross-container debugging may have unexpected issues. Installing gdb and GEF inside +the container, or using the official GEF docker image may +improve results.
+ + + + + + +
$_base()Return the matching file's base address plus an optional offset. Defaults to current file. Note that +quotes need to be escaped.
+Note: a debugging session must be active
+$_base([filepath])
+Example:
+gef➤ p $_base(\"/usr/lib/ld-2.33.so\")
+$_bss()Return the current BSS base address plus the given offset.
+Note: a debugging session must be active
+$_bss([offset])
+Example:
+gef➤ p $_bss(0x20)
+$_got()Return the current GOT base address plus the given offset.
+Note: a debugging session must be active
+$_got([offset])
+Example:
+gef➤ p $_got(0x20)
+$_heap()Return the current heap base address plus the given offset.
+Note: a debugging session must be active
+$_heap([offset])
+Example:
+gef➤ p $_heap(0x20)
+$_stack()Return the current stack base address plus the given offset.
+Note: a debugging session must be active
+$_stack([offset])
+Example:
+gef➤ p $_stack(0x20)
+
GEF (pronounced ʤɛf - "Jeff") is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC
+to make GDB cool again for exploit dev. It is aimed to be used mostly by exploit developers and
+reverse-engineers, to provide additional features to GDB using the Python API to assist during the
+process of dynamic analysis and exploit development.
It requires Python 3, but gef-legacy can be used if Python
+2 support is needed.
GEF is battery-included and is
+ installable instantlygef-legacy for a Python2 compatible version, and the
+ compatibility matrix for a complete rundown of version support.Check out the showroom page for more | or try it online
+yourself! (user:gef/password:gef-demo)
GEF has no dependencies, is fully battery-included and works out of the box. You can get started +with GEF in a matter of seconds, by simply running:
+bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
+For more details and other ways to install GEF please see installation +page.
+Then just start playing (for local files):
+$ gdb -q /path/to/my/bin
+gef➤ gef help
+Or (for remote debugging):
+remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file
+Running as PID: 666
+And:
+local:~ $ gdb -q
+gef➤ gef-remote -t your.ip.address:1234 -p 666
+To discuss gef, gdb, exploitation or other topics, feel free to join our Discord
+channel.
For bugs or feature requests, just go here and provide a +thorough description if you want help.
+Side Note: GEF fully relies on the GDB API and other Linux-specific sources of information (such
+as /proc/<pid>). As a consequence, some of the features might not work on custom or hardened
+systems such as GrSec.
gef was created and maintained by myself, @_hugsy_, but kept
+fresh thanks to all the contributors.
Or if you just like the tool, feel free to drop a simple "thanks" on Discord, Twitter or other, it +is always very appreciated.
+We would like to thank in particular the following people who've been sponsoring GEF allowing us to +dedicate more time and resources to the project:
+
+
+
+
+
+
+
+
Specific GEF commands rely on commonly used Unix commands to extract additional information. Therefore it requires the following binaries to be present:
+ * file
+ * readelf
+ * ps
+ * python3
Those tools are included by default in many modern distributions. If they're missing, you can use your OS package manager to install them.
+Only GDB 8 and higher is required. It must be compiled with Python 3.6 +or higher support. For most people, simply using your distribution package manager should be enough.
+As of January 2020, GEF officially doesn't support Python 2 any longer, due to Python 2 becoming +officially deprecated.
+GEF will then only work for Python 3. If you absolutely require GDB + Python 2, please use
+GEF-Legacy instead. Note that gef-legacy won't provide new
+features, and only functional bugs will be handled.
You can verify it with the following command:
+$ gdb -nx -ex 'pi print(sys.version)' -ex quit
+This should display your version of Python compiled with gdb.
$ gdb -nx -ex 'pi print(sys.version)' -ex quit
+3.6.9 (default, Nov 7 2019, 10:44:02)
+[GCC 8.3.0]
+There are none: GEF works out of the box!
GEF itself provides most (if not all 🤯) features required for typical sessions. However, GEF can be
+easily extended via
+- community-built scripts, functions and architectures in the repo
+ gef-extras (see below)
+- your own script which can leverage the GEF API for the heavy lifting
The quickest way to get started with GEF is through the installation script available. Simply make +sure you have GDB 8.0 or higher, compiled with Python 3.6 or higher, +and run
+bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
+Or if you prefer wget
bash -c "$(wget https://gef.blah.cat/sh -O -)"
+Alternatively from inside gdb directly:
$ gdb -q
+(gdb) pi import urllib.request as u, tempfile as t; g=t.NamedTemporaryFile(suffix='-gef.py'); open(g.name, 'wb+').write(u.urlopen('https://tinyurl.com/gef-main').read()); gdb.execute('source %s' % g.name)
+That's it! GEF is installed and correctly set up. You can confirm it by checking the ~/.gdbinit
+file and see a line that sources (i.e. loads) GEF.
$ cat ~/.gdbinit
+source ~/.gdbinit-gef.py
+If your host/VM is connected to the Internet, you can update gef easily to the latest version
+(even without git installed). with python /path/to/gef.py --update
$ python ~/.gdbinit-gef.py --update
+Updated
+This will deploy the latest version of gef's main branch from Github. If no
+updates are available, gef will respond No update instead.
To contribute to GEF, you might prefer using git directly.
+$ git clone --branch dev https://github.com/hugsy/gef.git
+$ echo source `pwd`/gef/gef.py >> ~/.gdbinit
+GEF is in very active development, so the default branch is dev. This is the
+branch you must use if you intend to submit pull requests.
However if you prefer a more stable life, you can then switch to the main
+branch:
$ git checkout main
+The main branch gets only updated for new releases, or also when critical
+fixes occur and need to be patched urgently.
GEF was built to also provide a solid base for external scripts. The repository
+gef-extras is an open repository where
+anyone can freely submit their own commands to extend GDB via GEF's API.
To benefit from it:
+# using the automated way
+## via the install script
+$ bash -c "$(wget https://github.com/hugsy/gef/raw/main/scripts/gef-extras.sh -O -)"
+
+# or manually
+## clone the repo
+$ git clone --branch main https://github.com/hugsy/gef-extras.git
+
+## then specify gef to load this directory
+$ gdb -ex 'gef config gef.extra_plugins_dir "/path/to/gef-extras/scripts"' -ex 'gef save' -ex quit
+[+] Configuration saved
+You can also use the structures defined from this repository:
+$ gdb -ex 'gef config pcustom.struct_path "/path/to/gef-extras/structs"' -ex 'gef save' -ex quit
+[+] Configuration saved
+There, you're now fully equipped epic pwnage with all GEF's goodness!!
+GDB provides the -nx command line flag to disable the commands from the
+~/.gdbinit to be executed.
gdb -nx
+To disable GEF without removing it, go to editing ~/.gdbinit, spot the line
+that sources GEF, and comment / delete that line:
So:
+$ cat ~/.gdbinit
+source /my/path/to/gef.py
+Will become:
+$ cat ~/.gdbinit
+# source /my/path/to/gef.py
+Restart GDB, GEF is gone. Note that you can also load GEF at any moment during +your GDB session as such:
+$ gdb
+(gdb) source /my/path/to/gef.py
+GEF is a one-file GDB script. Therefore, to remove GEF simply spot the location
+it was installed (for example, by using ~/.gdbinit) and delete the file. If a
+configuration file was created, it will be located as ~/.gef.rc and can also
+be deleted:
$ cat ~/.gdbinit
+# source /my/path/to/gef.py
+$ rm /my/path/to/gef.py ~/.gef.rc
+GEF is totally removed from your system.
+ + + + + + +
This page illustrates a few of the possibilities available to you when using GEF.
GEF was designed to support any architecture supported by GDB via an easily
+extensible architecture API.
Currently GEF supports the following architectures:
To this day, GDB doesn't come with a hexdump-like view. Well GEF fixes that for you via the
+hexdump command:
No more endless manual pointer dereferencing x/x style. Just use dereference for that. Or for a
+comprehensive view of the registers, registers might become your best friend:
GEF (pronounced \u02a4\u025bf - \"Jeff\") is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploit developers and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.
It requires Python 3, but gef-legacy can be used if Python 2 support is needed.
GEF is battery-included and is installable instantlygef-legacy for a Python2 compatible version, and the compatibility matrix for a complete rundown of version support.Check out the showroom page for more | or try it online yourself! (user:gef/password:gef-demo)
GEF has no dependencies, is fully battery-included and works out of the box. You can get started with GEF in a matter of seconds, by simply running:
bash -c \"$(curl -fsSL https://gef.blah.cat/sh)\"\nFor more details and other ways to install GEF please see installation page.
"},{"location":"#run","title":"Run","text":"Then just start playing (for local files):
$ gdb -q /path/to/my/bin\ngef\u27a4 gef help\nOr (for remote debugging):
remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file\nRunning as PID: 666\nAnd:
local:~ $ gdb -q\ngef\u27a4 gef-remote -t your.ip.address:1234 -p 666\nTo discuss gef, gdb, exploitation or other topics, feel free to join our Discord channel.
For bugs or feature requests, just go here and provide a thorough description if you want help.
Side Note: GEF fully relies on the GDB API and other Linux-specific sources of information (such as /proc/<pid>). As a consequence, some of the features might not work on custom or hardened systems such as GrSec.
gef was created and maintained by myself, @_hugsy_, but kept fresh thanks to all the contributors.
Or if you just like the tool, feel free to drop a simple \"thanks\" on Discord, Twitter or other, it is always very appreciated.
"},{"location":"#sponsors","title":"Sponsors","text":"We would like to thank in particular the following people who've been sponsoring GEF allowing us to dedicate more time and resources to the project:
"},{"location":"#extra-credits","title":"Extra Credits","text":"
GEF intends to provide a battery-included, quickly installable and crazy fast debugging environment sitting on top of GDB.
But it most importantly provides all the primitives required to allow hackers to quickly create their own commands. This page intends to summarize how to create advanced GDB commands in moments using GEF as a library.
A dedicated repository was born to host external scripts. This repo is open to all for contributions, no restrictions and the most valuable ones will be integrated into gef.py.
Here is the most basic skeleton for creating a new GEF command named newcmd:
class NewCommand(GenericCommand):\n \"\"\"Dummy new command.\"\"\"\n _cmdline_ = \"newcmd\"\n _syntax_ = f\"{_cmdline_}\"\n\n @only_if_gdb_running # not required, ensures that the debug session is started\n def do_invoke(self, argv):\n # let's say we want to print some info about the architecture of the current binary\n print(f\"gef.arch={gef.arch}\")\n # or showing the current $pc\n print(f\"gef.arch.pc={gef.arch.pc:#x}\")\n return\n\nregister_external_command(NewCommand())\nLoading it in GEF is as easy as
gef\u27a4 source /path/to/newcmd.py\n[+] Loading 'NewCommand'\nWe can call it:
gef\u27a4 newcmd\ngef.arch=<__main__.X86_64 object at 0x7fd5583571c0>\ngef.arch.pc=0x55555555a7d0\nYes, that's it! Check out the complete API to see what else GEF offers.
"},{"location":"api/#detailed-explanation","title":"Detailed explanation","text":"Our new command must be a class that inherits from GEF's GenericCommand. The only requirements are:
_cmdline_ attribute (the command to type on the GDB prompt)._syntax_ attribute, which GEF will use to auto-generate the help menu.do_invoke(self, args) which will be executed when the command is invoked. args is a list of the command line args provided when invoked.We make GEF aware of this new command by registering it in the __main__ section of the script, by invoking the global function register_external_command().
Now you have a new GEF command which you can load, either from cli:
gef\u27a4 source /path/to/newcmd.py\nor add to your ~/.gdbinit:
$ echo source /path/to/newcmd.py >> ~/.gdbinit\nSometimes you want something similar to a command to run on each break-like event and display itself as a part of the GEF context. Here is a simple example of how to make a custom context pane:
__start_time__ = int(time.time())\ndef wasted_time_debugging():\n gef_print(\"You have wasted {} seconds!\".format(int(time.time()) - __start_time__))\n\ndef wasted_time_debugging_title():\n return \"wasted:time:debugging:{}\".format(int(time.time()) - __start_time__)\n\nregister_external_context_pane(\"wasted_time_debugging\", wasted_time_debugging, wasted_time_debugging_title)\nLoading it in GEF is as easy as loading a command
gef\u27a4 source /path/to/custom_context_pane.py\nIt can even be included in the same file as a Command. Now on each break you will notice a new pane near the bottom of the context. The order can be modified in the GEF context config.
The API demonstrated above requires very specific argument types: register_external_context_pane(pane_name, display_pane_function, pane_title_function)
pane_name: a string that will be used as the panes setting namedisplay_pane_function: a function that uses gef_print() to print content in the panepane_title_function: a function that returns the title string or None to hide the titleSome of the most important parts of the API for creating new commands are mentioned (but not limited to) below. To see the full help of a function, open GDB and GEF, and use the embedded Python interpreter's help command.
For example:
gef\u27a4 pi help(Architecture)\nor even from outside GDB:
$ gdb -q -ex 'pi help(hexdump)' -ex quit\nThe GEF API aims to provide a simpler and more Pythonic approach to GDB's.
Some basic examples: - read the memory
gef \u27a4 pi print(hexdump( gef.memory.read(parse_address(\"$pc\"), length=0x20 )))\n0x0000000000000000 f3 0f 1e fa 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 ....1.I..^H..H..\n0x0000000000000010 f0 50 54 4c 8d 05 66 0d 01 00 48 8d 0d ef 0c 01 .PTL..f...H.....\ngef \u27a4 pi print('\\n'.join([ f\"{x.page_start:#x} -> {x.page_end:#x}\" for x in gef.memory.maps]))\n0x555555554000 -> 0x555555558000\n0x555555558000 -> 0x55555556c000\n0x55555556c000 -> 0x555555575000\n0x555555576000 -> 0x555555577000\n0x555555577000 -> 0x555555578000\n0x555555578000 -> 0x55555559a000\n0x7ffff7cd8000 -> 0x7ffff7cda000\n0x7ffff7cda000 -> 0x7ffff7ce1000\n0x7ffff7ce1000 -> 0x7ffff7cf2000\n0x7ffff7cf2000 -> 0x7ffff7cf7000\n[...]\nThe API also offers a number of decorators to simplify the creation of new/existing commands, such as: - @only_if_gdb_running to execute only if a GDB session is running. - @only_if_gdb_target_local to check if the target is local i.e. not debugging using GDB remote. - and many more...
For a complete reference of the API offered by GEF, visit docs/api/gef.md.
@parse_arguments( {\"required_argument_1\": DefaultValue1, ...}, {\"--optional-argument-1\": DefaultValue1, ...} )\nThis decorator aims to facilitate the argument passing to a command. If added, it will use the argparse module to parse arguments, and will store them in the kwargs[\"arguments\"] of the calling function (therefore the function must have *args, **kwargs added to its signature). Argument type is inferred directly from the default value except for boolean, where a value of True corresponds to argparse's store_true action. For more details on argparse, refer to its Python documentation.
Values given for the parameters also allow list of arguments being past. This can be useful in the case where the number of exact option values is known in advance. This can be achieved simply by using a type of tuple or list for the default value. parse_arguments will determine the type of what to expect based on the first default value of the iterable, so make sure it's not empty. For instance:
@parse_arguments( {\"instructions\": [\"nop\", \"int3\", \"hlt\"], }, {\"--arch\": \"x64\", } )\nArgument flags are also supported, allowing to write simpler version of the flag such as
@parse_arguments( {}, {(\"--long-argument\", \"-l\"): value, } )\nA basic example would be as follow:
class MyCommand(GenericCommand):\n [...]\n\n @parse_arguments({\"foo\": [1,]}, {\"--bleh\": \"\", (\"--blah\", \"-l): True})\n def do_invoke(self, argv, *args, **kwargs):\n args = kwargs[\"arguments\"]\n if args.foo == 1: ...\n if args.blah == True: ...\nWhen the user enters the following command:
gef\u27a4 mycommand --blah 3 14 159 2653\nThe function MyCommand!do_invoke() can use the command line argument value
args.foo --> [3, 14, 159, 2653] # a List(int) from user input\nargs.bleh --> \"\" # the default value\nargs.blah --> True # set to True because user input declared the option (would have been False otherwise)\nSupport for new architectures can be added by inheriting from the Architecture class. Examples can be found in gef-extras.
Sometimes architectures can more precisely determine whether they apply to the current target by looking at the architecture determined by gdb. For these cases the custom architecture may implement the supports_gdb_arch() static function to signal that they should be used instead of the default. The function receives only one argument: - gdb_str (of type str) which is the architecture name as reported by GDB.
The function must return: - True if the current Architecture class supports the target binary; False otherwise. - None to simply ignore this check and let GEF try to determine the architecture.
One example is the ARM Cortex-M architecture which in some cases should be used over the generic ARM one:
@staticmethod\ndef supports_gdb_arch(gdb_arch: str) -> Optional[bool]:\n return bool(re.search(\"^armv.*-m$\", gdb_arch))\nThis matrix indicates the version of Python and/or GDB
GEF version GDB Python compatibility* Python compatibility* 2018.02 7.2 Python 2.7, Python 3.4+ 2020.03 7.4 Python 2.7, Python 3.4+ 2022.01 7.7 Python 3.4+ Current 8.0+ Python 3.6+GEF comes with its own configuration and customization system, allowing fine tweaking. The configuration file is located under ~/.gef.rc by default, and is automatically loaded when GEF is loaded by GDB. If not configuration file is found, GEF will simply use the default settings.
The configuration file is a Python configparser. To create a basic file with all settings and their default values, simply run
gdb -ex 'gef save' -ex quit\nYou can now explore the configuration file under ~/.gef.rc.
Once in GEF, the configuration settings can be set/unset/modified by the command gef config. Without argument the command will simply dump all known settings:
To update, follow the syntax
gef\u27a4 gef config <Module>.<ModuleSetting> <Value>\nAny setting updated this way will be specific to the current GDB session. To make permanent, use the following command
gef\u27a4 gef save\nRefer to the gef config command documentation for complete explanation.
GEF is in itself a large file, but to avoid it to be out of control some commands once part of GEF were either moved to GEF-Extras or even simply removed. This page aims to track those changes.
Command Status Since Link (if Applicable) Notescs-disassemble Moved 2022.06 Link Depends on capstone assemble Moved 2022.06 Link Depends on keystone emulate Moved 2022.06 Link Depends on unicorn and capstone set-permission Moved 2022.06 Link Depends on keystone ropper Moved 2022.06 Link Depends on ropper ida-interact Moved 2022.06 Link Depends on rpyc exploit-template Moved c402900 Link windbg Moved a933a5a Link is-syscall Moved 3f79fb38 Link syscall-args Moved 3f79fb38 Link"},{"location":"faq/","title":"Frequently Asked Questions","text":""},{"location":"faq/#why-use-gef-over-peda","title":"Why use GEF over PEDA?","text":"PEDA is a fantastic tool that provides similar commands to make the exploitation development process smoother.
However, PEDA suffers from a major drawbacks, which the code is too fundamentally linked to Intel architectures (x86-32 and x86-64). On the other hand, GEF not only supports all the architecture supported by GDB (currently x86, ARM, AARCH64, MIPS, PowerPC, SPARC) but is designed to integrate new architectures very easily as well!
Also, PEDA development has been quite idle for a few years now, and many new interesting features a debugger can provide simply do not exist.
"},{"location":"faq/#what-if-my-gdb-is-80","title":"What if my GDB is < 8.0 ?","text":"GDB was introduced with its Python support early 2011 with the release of GDB 7. A (very) long way has gone since and the Python API has been massively improved, and GEF is taking advantage of them to provide the coolest features with as little performance impact as possible.
Currently, GEF is optimized for running against GDB version 8.0+, and Python 3.6+. This allows for a best performance and best use of the GDB Python API. However, GEF can run on older versions too, check out the version compatibility matrix. For really older versions of GDB, you can use gef-legacy which supports a lot of older GDB, and a Python 2/3 compatibility layer.
Therefore, it is highly recommended to run GEF with the latest version of GDB. However, all functions should work on a GDB 8.0 and up. If not, send a bug report and provide as much details as possible.
If you are running an obsolete version, GEF will show a error and message and exit.
Some pre-compiled static binaries for both recent GDB and GDBServer can be downloaded from the gdb-static repository.
GEF will work on any GDB 8+ compiled with Python 3.6+ support. You can view that commands that failed to load using gef missing, but this will not affect GEF generally.
If you experience problems setting it up on your host, first go to the Discord channel for that. You will find great people there willing to help.
Note that the GitHub issue section is to be used to report bugs and GEF issues (like unexpected crash, improper error handling, weird edge case, etc.), not a place to ask for help.
All recent distributions ship packaged GDB that should be ready-to-go, with a GDB >= 8.0 and Python 3.6+. Any version higher or equal will work just fine. So you might actually only need to run apt install gdb to get the full-force of GEF.
A long standing bug in the readline library can make gef crash GDB when displaying certain characters (SOH/ETX). As a result, this would SIGSEGV GDB as gef is loading, a bit like this:
root@debian-aarch64:~# gdb -q ./test-bin-aarch64\nGEF ready, type `gef' to start, `gef config' to configure\n53 commands loaded, using Python engine 3.4\n[*] 5 commands could not be loaded, run `gef missing` to know why.\n[+] Configuration from '/root/.gef.rc' restored\nReading symbols from ./bof-aarch64...(no debugging symbols found)...done.\nSegmentation fault (core dumped)\nIf so, this can be fixed easily by setting the gef.readline_compat variable to True in the ~/.gef.rc file. Something like this:
root@debian-aarch64:~# nano ~/.gef.rc\n[...]\n[gef]\nreadline_compat = True\nYou can now use all features of gef even on versions of GDB compiled against old readline library.
Definitely not! You can use any other GDB plugin on top of it for an even better debugging experience.
Some interesting plugins highly recommended too:
Src: @rick2600: terminator + gdb + gef + voltron cc: @snare @hugsy
"},{"location":"faq/#i-want-to-contribute-where-should-i-head-first","title":"I want to contribute, where should I head first?","text":"I would suggest thoroughly reading this documentation, just having a look to the CONTRIBUTE file of the project to give you pointers.
Also a good thing would be to join our Discord channel to get in touch with the people involved/using it.
"},{"location":"faq/#i-think-ive-found-a-bug-how-can-i-help-fixing-it","title":"I think I've found a bug, how can I help fixing it?","text":"gef is only getting better through people (like you!) using it, but most importantly reporting unexpected behavior.
In most locations, Python exceptions will be properly intercepted. If not, gef wraps all commands with a generic exception handler, to disturb as little as possible your debugging session. If it happens, you'll only get to see a message like this:
By switching to debug mode, gef will give much more information:
gef\u27a4 gef config gef.debug 1\nIf you think fixing it is in your skills, then send a Pull Request with your patched version, explaining your bug, and what was your solution for it.
Otherwise, you can open an issue, give a thorough description of your bug and copy/paste the content from above. This will greatly help for solving the issue.
"},{"location":"faq/#i-get-weird-issuescharacters-using-gdb-python3-whats-up","title":"I get weird issues/characters using GDB + Python3, what's up?","text":"Chances are you are not using UTF-8. Python3 is highly relying on UTF-8 to display correctly characters of any alphabet and also some cool emojis. When GDB is compiled with Python3, GEF will assume that your current charset is UTF-8 (for instance, en_US.UTF-8). Use your $LANG environment variable to tweak this setting.
In addition, some unexpected results were observed when your local is not set to English. If you aren't sure, simply run gdb like this:
$ LC_ALL=en_US.UTF-8 gdb /path/to/your/binary\ngdb_exception_RETURN_MASK_ERROR","text":"This issue is NOT GEF related, but GDB's, or more precisely some versions of GDB packaged with Debian/Kali for ARM
Original Issue and Mitigation
gdb version 7.12, as distributed w/ Raspbian/Kali rolling (only distro's tested,) throws an exception while disassembling ARM binaries when using gef. This is not a gef problem, this is a gdb problem. gef is just the tool that revealed the gdb dain bramage! (The issue was not observed using vanilla gdb/peda/pwndbg) This issue was first noted when using si to step through a simple ARM assembly program (noted above) when instead of exiting cleanly, gdb's disassembly failed with a SIGABRT and threw an exception:
gdb_exception_RETURN_MASK_ERROR
This turns out to be a known problem (regression) with gdb, and affects gef users running the ARM platform (Raspberry Pi).
The mitigation is for ARM users to compile gdb from source and run the latest version, 8.1 as of this writing.
Do not file an issue, again it is NOT a bug from GEF, or neither from GDB Python API. Therefore, there is nothing GEF's developers can do about that. The correct solution as mentioned above is to recompile your GDB with a newer (better) version.
The whole topic was already internally discussed, so please refer to the [issue
"},{"location":"faq/#206httpsgithubcomhugsygefissues206-for-the-whole-story","title":"206](https://github.com/hugsy/gef/issues/206) for the whole story.","text":""},{"location":"faq/#i-still-dont-have-my-answer-where-can-i-go","title":"I still don't have my answer... Where can I go?","text":"Discord is your answer: join and talk to us by clicking here
If you cannot find the answer to your problem here or on the Discord, then go to the project Issues page and fill up the forms with as much information as you can!
"},{"location":"faq/#how-can-i-use-gef-to-debug-a-process-in-a-container","title":"How can I use GEF to debug a process in a container?","text":"GEF can attach to a process running in a container using gdb --pid=$PID, where $PID is the ID of the running process on the host. To find this, you can use docker top <container ID> -o pid | awk '!/PID/' | xargs -I'{}' pstree -psa {} to view the process tree for the container.
sudo may be required to attach to the process, which will depend on your system's security settings.
Please note that cross-container debugging may have unexpected issues. Installing gdb and GEF inside the container, or using the official GEF docker image may improve results.
"},{"location":"install/","title":"Installing GEF","text":""},{"location":"install/#prerequisites","title":"Prerequisites","text":"Specific GEF commands rely on commonly used Unix commands to extract additional information. Therefore it requires the following binaries to be present: * file * readelf * ps * python3
Those tools are included by default in many modern distributions. If they're missing, you can use your OS package manager to install them.
"},{"location":"install/#gdb","title":"GDB","text":"Only GDB 8 and higher is required. It must be compiled with Python 3.6 or higher support. For most people, simply using your distribution package manager should be enough.
As of January 2020, GEF officially doesn't support Python 2 any longer, due to Python 2 becoming officially deprecated.
GEF will then only work for Python 3. If you absolutely require GDB + Python 2, please use GEF-Legacy instead. Note that gef-legacy won't provide new features, and only functional bugs will be handled.
You can verify it with the following command:
$ gdb -nx -ex 'pi print(sys.version)' -ex quit\nThis should display your version of Python compiled with gdb.
$ gdb -nx -ex 'pi print(sys.version)' -ex quit\n3.6.9 (default, Nov 7 2019, 10:44:02)\n[GCC 8.3.0]\nThere are none: GEF works out of the box!
GEF itself provides most (if not all \ud83e\udd2f) features required for typical sessions. However, GEF can be easily extended via - community-built scripts, functions and architectures in the repo gef-extras (see below) - your own script which can leverage the GEF API for the heavy lifting
The quickest way to get started with GEF is through the installation script available. Simply make sure you have GDB 8.0 or higher, compiled with Python 3.6 or higher, and run
bash -c \"$(curl -fsSL https://gef.blah.cat/sh)\"\nOr if you prefer wget
bash -c \"$(wget https://gef.blah.cat/sh -O -)\"\nAlternatively from inside gdb directly:
$ gdb -q\n(gdb) pi import urllib.request as u, tempfile as t; g=t.NamedTemporaryFile(suffix='-gef.py'); open(g.name, 'wb+').write(u.urlopen('https://tinyurl.com/gef-main').read()); gdb.execute('source %s' % g.name)\nThat's it! GEF is installed and correctly set up. You can confirm it by checking the ~/.gdbinit file and see a line that sources (i.e. loads) GEF.
$ cat ~/.gdbinit\nsource ~/.gdbinit-gef.py\nIf your host/VM is connected to the Internet, you can update gef easily to the latest version (even without git installed). with python /path/to/gef.py --update
$ python ~/.gdbinit-gef.py --update\nUpdated\nThis will deploy the latest version of gef's main branch from Github. If no updates are available, gef will respond No update instead.
To contribute to GEF, you might prefer using git directly.
$ git clone --branch dev https://github.com/hugsy/gef.git\n$ echo source `pwd`/gef/gef.py >> ~/.gdbinit\nGEF is in very active development, so the default branch is dev. This is the branch you must use if you intend to submit pull requests.
However if you prefer a more stable life, you can then switch to the main branch:
$ git checkout main\nThe main branch gets only updated for new releases, or also when critical fixes occur and need to be patched urgently.
GEF was built to also provide a solid base for external scripts. The repository gef-extras is an open repository where anyone can freely submit their own commands to extend GDB via GEF's API.
To benefit from it:
# using the automated way\n## via the install script\n$ bash -c \"$(wget https://github.com/hugsy/gef/raw/main/scripts/gef-extras.sh -O -)\"\n\n# or manually\n## clone the repo\n$ git clone --branch main https://github.com/hugsy/gef-extras.git\n\n## then specify gef to load this directory\n$ gdb -ex 'gef config gef.extra_plugins_dir \"/path/to/gef-extras/scripts\"' -ex 'gef save' -ex quit\n[+] Configuration saved\nYou can also use the structures defined from this repository:
$ gdb -ex 'gef config pcustom.struct_path \"/path/to/gef-extras/structs\"' -ex 'gef save' -ex quit\n[+] Configuration saved\nThere, you're now fully equipped epic pwnage with all GEF's goodness!!
"},{"location":"install/#uninstalling-gef","title":"Uninstalling GEF","text":""},{"location":"install/#prevent-script-loading","title":"Prevent script loading","text":"GDB provides the -nx command line flag to disable the commands from the ~/.gdbinit to be executed.
gdb -nx\nTo disable GEF without removing it, go to editing ~/.gdbinit, spot the line that sources GEF, and comment / delete that line:
So:
$ cat ~/.gdbinit\nsource /my/path/to/gef.py\nWill become:
$ cat ~/.gdbinit\n# source /my/path/to/gef.py\nRestart GDB, GEF is gone. Note that you can also load GEF at any moment during your GDB session as such:
$ gdb\n(gdb) source /my/path/to/gef.py\nGEF is a one-file GDB script. Therefore, to remove GEF simply spot the location it was installed (for example, by using ~/.gdbinit) and delete the file. If a configuration file was created, it will be located as ~/.gef.rc and can also be deleted:
$ cat ~/.gdbinit\n# source /my/path/to/gef.py\n$ rm /my/path/to/gef.py ~/.gef.rc\nGEF is totally removed from your system.
"},{"location":"screenshots/","title":"Screenshots","text":"This page illustrates a few of the possibilities available to you when using GEF.
GEF was designed to support any architecture supported by GDB via an easily extensible architecture API.
Currently GEF supports the following architectures:
To this day, GDB doesn't come with a hexdump-like view. Well GEF fixes that for you via the hexdump command:
No more endless manual pointer dereferencing x/x style. Just use dereference for that. Or for a comprehensive view of the registers, registers might become your best friend:
This page describes how GEF testing is done. Any new command/functionality must receive adequate testing to be merged. Also PR failing CI (test + linting) won't be merged either.
"},{"location":"testing/#prerequisites","title":"Prerequisites","text":"All the prerequisite packages are in requirements.txt file at the root of the project. So running
python -m pip install -r tests/requirements.txt --user -U\nis enough to get started.
"},{"location":"testing/#running-tests","title":"Running tests","text":""},{"location":"testing/#basic-pytest","title":"Basicpytest","text":"For testing GEF on the architecture on the host running the tests (most cases), simply run
cd /root/of/gef\npython3 -m pytest -v -k \"not benchmark\" tests\nNote that to ensure compatibility, tests must be executed with the same Python version GDB was compiled against. To obtain this version, you can execute the following command:
gdb -q -nx -ex \"pi print('.'.join(map(str, sys.version_info[:2])))\" -ex quit\nAt the end, a summary of explanation will be shown, clearly indicating the tests that have failed, for instance:
=================================== short test summary info ==================================\nFAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_large - AssertionError: 'siz...\nFAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_small - AssertionError: 'siz...\nFAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_unsorted - AssertionError: '...\n======================== 3 failed, 4 passed, 113 deselected in 385.77s (0:06:25)==============\nYou can then use pytest directly to help you fix each error specifically.
pytest","text":"GEF entirely relies on pytest for its testing. Refer to the project documentation for details.
Adding a new command requires for extensive testing in a new dedicated test module that should be located in /root/of/gef/tests/commands/my_new_command.py
A skeleton of a test module would look something like:
\"\"\"\n`my-command` command test module\n\"\"\"\n\n\nfrom tests.utils import GefUnitTestGeneric, gdb_run_cmd, gdb_start_silent_cmd\n\n\nclass MyCommandCommand(GefUnitTestGeneric):\n \"\"\"`my-command` command test module\"\"\"\n\n def test_cmd_my_command(self):\n # `my-command` is expected to fail if the session is not active\n self.assertFailIfInactiveSession(gdb_run_cmd(\"my-command\"))\n\n # `my-command` should never throw an exception in GDB when running\n res = gdb_start_silent_cmd(\"my-command\")\n self.assertNoException(res)\n\n # it also must print out a \"Hello World\" message\n self.assertIn(\"Hello World\", res)\nWhen running your test, you can summon pytest with the --pdb flag to enter the python testing environment to help you get more information about the reason of failure.
One of the most convenient ways to test gef properly is using the pytest integration of modern editors such as VisualStudio Code or PyCharm. Without proper tests, new code will not be integrated.
You can use the Makefile at the root of the project to get the proper linting settings. For most cases, the following command is enough:
cd /root/of/gef\npython3 -m pylint --rcfile .pylintrc\nNote that to ensure compatibility, tests must be executed with the same Python version GDB was compiled against. To obtain this version, you can execute the following command:
gdb -q -nx -ex \"pi print('.'.join(map(str, sys.version_info[:2])))\" -ex quit\nBenchmarking relies on pytest-benchmark and is experimental for now.
You can run all benchmark test cases as such:
cd /root/of/gef\npytest -k benchmark\nwhich will return (after some time) an execution summary
tests/perf/benchmark.py .. [100%]\n\n\n---------------------------------------- benchmark: 3 tests -----------------------------------\nName (time in ms) Min Max Mean StdDev Median IQR Outliers OPS Rounds Iterations\n-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\ntime_baseline 612.2325 (1.0) 630.3416 (1.01) 623.7984 (1.01) 7.2848 (1.64) 626.1485 (1.01) 9.9971 (1.81) 1;0 1.6031 (0.99) 5 1\ntime_cmd_context 613.8124 (1.00) 625.8964 (1.0) 620.1908 (1.0) 4.4532 (1.0) 619.8831 (1.0) 5.5109 (1.0) 2;0 1.6124 (1.0) 5 1\ntime_elf_parsing 616.5053 (1.01) 638.6965 (1.02) 628.1588 (1.01) 8.2465 (1.85) 629.0099 (1.01) 10.7885 (1.96) 2;0 1.5920 (0.99) 5 1\n-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n\nLegend:\n Outliers: 1 Standard Deviation from Mean; 1.5 IQR (InterQuartile Range) from 1st Quartile and 3rd Quartile.\n OPS: Operations Per Second, computed as 1 / Mean\n============================================== 3 passed, 117 deselected in 14.78s =============================================\nGEF","text":""},{"location":"api/gef/#global-variables","title":"Global Variables","text":"http_get","text":"http_get(url: str) \u2192 Optional[bytes]\nBasic HTTP wrapper for GET request. Return the body of the page if HTTP code is OK, otherwise return None.
"},{"location":"api/gef/#function-update_gef","title":"functionupdate_gef","text":"update_gef(argv: List[str]) \u2192 int\nTry to update gef to the latest version pushed on GitHub main branch. Return 0 on success, 1 on failure.
reset_all_caches","text":"reset_all_caches() \u2192 None\nFree all caches. If an object is cached, it will have a callable attribute cache_clear which will be invoked to purge the function cache.
reset","text":"reset() \u2192 None\nhighlight_text","text":"highlight_text(text: str) \u2192 str\nHighlight text using gef.ui.highlight_table { match -> color } settings.
If RegEx is enabled it will create a match group around all items in the gef.ui.highlight_table and wrap the specified color in the gef.ui.highlight_table around those matches.
If RegEx is disabled, split by ANSI codes and 'colorify' each match found within the specified string.
"},{"location":"api/gef/#function-gef_print","title":"functiongef_print","text":"gef_print(*args: str, end='\\n', sep=' ', **kwargs: Any) \u2192 None\nWrapper around print(), using string buffering feature.
"},{"location":"api/gef/#function-bufferize","title":"functionbufferize","text":"bufferize(f: Callable) \u2192 Callable\nStore the content to be printed for a function in memory, and flush it on function exit.
"},{"location":"api/gef/#function-p8","title":"functionp8","text":"p8(\n x: int,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 bytes\nPack one byte respecting the current architecture endianness.
"},{"location":"api/gef/#function-p16","title":"functionp16","text":"p16(\n x: int,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 bytes\nPack one word respecting the current architecture endianness.
"},{"location":"api/gef/#function-p32","title":"functionp32","text":"p32(\n x: int,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 bytes\nPack one dword respecting the current architecture endianness.
"},{"location":"api/gef/#function-p64","title":"functionp64","text":"p64(\n x: int,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 bytes\nPack one qword respecting the current architecture endianness.
"},{"location":"api/gef/#function-u8","title":"functionu8","text":"u8(\n x: bytes,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 int\nUnpack one byte respecting the current architecture endianness.
"},{"location":"api/gef/#function-u16","title":"functionu16","text":"u16(\n x: bytes,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 int\nUnpack one word respecting the current architecture endianness.
"},{"location":"api/gef/#function-u32","title":"functionu32","text":"u32(\n x: bytes,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 int\nUnpack one dword respecting the current architecture endianness.
"},{"location":"api/gef/#function-u64","title":"functionu64","text":"u64(\n x: bytes,\n s: bool = False,\n e: Optional[ForwardRef('Endianness')] = None\n) \u2192 int\nUnpack one qword respecting the current architecture endianness.
"},{"location":"api/gef/#function-is_ascii_string","title":"functionis_ascii_string","text":"is_ascii_string(address: int) \u2192 bool\nHelper function to determine if the buffer pointed by address is an ASCII string (in GDB)
is_alive","text":"is_alive() \u2192 bool\nCheck if GDB is running.
"},{"location":"api/gef/#function-calling_function","title":"functioncalling_function","text":"calling_function() \u2192 Optional[str]\nReturn the name of the calling function
"},{"location":"api/gef/#function-only_if_gdb_running","title":"functiononly_if_gdb_running","text":"only_if_gdb_running(f: Callable) \u2192 Callable\nDecorator wrapper to check if GDB is running.
"},{"location":"api/gef/#function-only_if_gdb_target_local","title":"functiononly_if_gdb_target_local","text":"only_if_gdb_target_local(f: Callable) \u2192 Callable\nDecorator wrapper to check if GDB is running locally (target not remote).
"},{"location":"api/gef/#function-deprecated","title":"functiondeprecated","text":"deprecated(solution: str = '') \u2192 Callable\nDecorator to add a warning when a command is obsolete and will be removed.
"},{"location":"api/gef/#function-experimental_feature","title":"functionexperimental_feature","text":"experimental_feature(f: Callable) \u2192 Callable\nDecorator to add a warning when a feature is experimental.
"},{"location":"api/gef/#function-only_if_events_supported","title":"functiononly_if_events_supported","text":"only_if_events_supported(event_type: str) \u2192 Callable\nChecks if GDB supports events without crashing.
"},{"location":"api/gef/#function-wrapped_f","title":"functionwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nwrapped_f","text":"wrapped_f(*args: Any, **kwargs: Any) \u2192 Any\nFakeExit","text":"FakeExit(*args: Any, **kwargs: Any) \u2192 NoReturn\nparse_arguments","text":"parse_arguments(\n required_arguments: Dict[Union[str, Tuple[str, str]], Any],\n optional_arguments: Dict[Union[str, Tuple[str, str]], Any]\n) \u2192 Callable\nArgument parsing decorator.
"},{"location":"api/gef/#function-search_for_main_arena","title":"functionsearch_for_main_arena","text":"search_for_main_arena() \u2192 int\nsearch_for_main_arena is DEPRECATED and will be removed in the future. Use GefHeapManager.find_main_arena_addr()
get_libc_version","text":"get_libc_version() \u2192 Tuple[int, ...]\nget_libc_version is DEPRECATED and will be removed in the future. Use GefLibcManager.find_libc_version()
titlify","text":"titlify(\n text: str,\n color: Optional[str] = None,\n msg_color: Optional[str] = None\n) \u2192 str\nPrint a centered title.
"},{"location":"api/gef/#function-dbg","title":"functiondbg","text":"dbg(msg: str) \u2192 None\nerr","text":"err(msg: str) \u2192 None\nwarn","text":"warn(msg: str) \u2192 None\nok","text":"ok(msg: str) \u2192 None\ninfo","text":"info(msg: str) \u2192 None\npush_context_message","text":"push_context_message(level: str, message: str) \u2192 None\nPush the message to be displayed the next time the context is invoked.
"},{"location":"api/gef/#function-show_last_exception","title":"functionshow_last_exception","text":"show_last_exception() \u2192 None\nDisplay the last Python exception.
"},{"location":"api/gef/#function-gef_pystring","title":"functiongef_pystring","text":"gef_pystring(x: bytes) \u2192 str\nReturns a sanitized version as string of the bytes list given in input.
"},{"location":"api/gef/#function-gef_pybytes","title":"functiongef_pybytes","text":"gef_pybytes(x: str) \u2192 bytes\nReturns an immutable bytes list from the string given as input.
"},{"location":"api/gef/#function-style_byte","title":"functionstyle_byte","text":"style_byte(b: int, color: bool = True) \u2192 str\nhexdump","text":"hexdump(\n source: ByteString,\n length: int = 16,\n separator: str = '.',\n show_raw: bool = False,\n show_symbol: bool = True,\n base: int = 0\n) \u2192 str\nReturn the hexdump of src argument. @param source MUST be of type bytes or bytearray @param length is the length of items per line @param separator is the default character to use if one byte is not printable @param show_raw if True, do not add the line nor the text translation @param base is the start address of the block being hexdump @return a string with the hexdump
is_debug","text":"is_debug() \u2192 bool\nCheck if debug mode is enabled.
"},{"location":"api/gef/#function-buffer_output","title":"functionbuffer_output","text":"buffer_output() \u2192 bool\nCheck if output should be buffered until command completion.
"},{"location":"api/gef/#function-hide_context","title":"functionhide_context","text":"hide_context() \u2192 bool\nHelper function to hide the context pane.
"},{"location":"api/gef/#function-unhide_context","title":"functionunhide_context","text":"unhide_context() \u2192 bool\nHelper function to unhide the context pane.
"},{"location":"api/gef/#function-enable_redirect_output","title":"functionenable_redirect_output","text":"enable_redirect_output(to_file: str = '/dev/null') \u2192 None\nRedirect all GDB output to to_file parameter. By default, to_file redirects to /dev/null.
disable_redirect_output","text":"disable_redirect_output() \u2192 None\nDisable the output redirection, if any.
"},{"location":"api/gef/#function-gef_makedirs","title":"functiongef_makedirs","text":"gef_makedirs(path: str, mode: int = 493) \u2192 Path\nRecursive mkdir() creation. If successful, return the absolute path of the directory created.
"},{"location":"api/gef/#function-gdb_disassemble","title":"functiongdb_disassemble","text":"gdb_disassemble(\n start_pc: int,\n **kwargs: int\n) \u2192 Generator[__main__.Instruction, NoneType, NoneType]\nDisassemble instructions from start_pc (Integer). Accepts the following named
parameters:
end_pc (Integer) only instructions whose start address fall in the interval from start_pc to end_pc are returned. count (Integer) list at most this many disassembled instructions If end_pc and count are not provided, the function will behave as if count=1. Return an iterator of Instruction objects gdb_get_nth_previous_instruction_address","text":"gdb_get_nth_previous_instruction_address(addr: int, n: int) \u2192 Optional[int]\nReturn the address (Integer) of the n-th instruction before addr.
gdb_get_nth_next_instruction_address","text":"gdb_get_nth_next_instruction_address(addr: int, n: int) \u2192 int\nReturn the address of the n-th instruction after addr. gdb_get_nth_next_instruction_address is DEPRECATED and will be removed in the future. Use gef_instruction_n().address
gef_instruction_n","text":"gef_instruction_n(addr: int, n: int) \u2192 Instruction\nReturn the n-th instruction after addr as an Instruction object. Note that n is treated as an positive index, starting from 0 (current instruction address)
gef_get_instruction_at","text":"gef_get_instruction_at(addr: int) \u2192 Instruction\nReturn the full Instruction found at the specified address.
"},{"location":"api/gef/#function-gef_current_instruction","title":"functiongef_current_instruction","text":"gef_current_instruction(addr: int) \u2192 Instruction\nReturn the current instruction as an Instruction object.
"},{"location":"api/gef/#function-gef_next_instruction","title":"functiongef_next_instruction","text":"gef_next_instruction(addr: int) \u2192 Instruction\nReturn the next instruction as an Instruction object.
"},{"location":"api/gef/#function-gef_disassemble","title":"functiongef_disassemble","text":"gef_disassemble(\n addr: int,\n nb_insn: int,\n nb_prev: int = 0\n) \u2192 Generator[__main__.Instruction, NoneType, NoneType]\nDisassemble nb_insn instructions after addr and nb_prev before addr. Return an iterator of Instruction objects.
gef_execute_external","text":"gef_execute_external(\n command: Sequence[str],\n as_list: bool = False,\n **kwargs: Any\n) \u2192 Union[str, List[str]]\nExecute an external command and return the result.
"},{"location":"api/gef/#function-gef_execute_gdb_script","title":"functiongef_execute_gdb_script","text":"gef_execute_gdb_script(commands: str) \u2192 None\nExecute the parameter source as GDB command. This is done by writing commands to a temporary file, which is then executed via GDB source command. The tempfile is then deleted.
checksec","text":"checksec(filename: str) \u2192 Dict[str, bool]\nchecksec is DEPRECATED and will be removed in the future. Use Elf(fname).checksec()
get_entry_point","text":"get_entry_point() \u2192 Optional[int]\nReturn the binary entry point. get_entry_point is DEPRECATED and will be removed in the future. Use gef.binary.entry_point instead
is_pie","text":"is_pie(fpath: str) \u2192 bool\nis_big_endian","text":"is_big_endian() \u2192 bool\nis_big_endian is DEPRECATED and will be removed in the future. Prefer gef.arch.endianness == Endianness.BIG_ENDIAN
is_little_endian","text":"is_little_endian() \u2192 bool\nis_little_endian is DEPRECATED and will be removed in the future. gef.arch.endianness == Endianness.LITTLE_ENDIAN
flags_to_human","text":"flags_to_human(reg_value: int, value_table: Dict[int, str]) \u2192 str\nReturn a human readable string showing the flag states.
"},{"location":"api/gef/#function-register_architecture","title":"functionregister_architecture","text":"register_architecture(\n cls: Type[ForwardRef('Architecture')]\n) \u2192 Type[ForwardRef('Architecture')]\nregister_architecture is DEPRECATED and will be removed in the future. Using the decorator register_architecture is unecessary
copy_to_clipboard","text":"copy_to_clipboard(data: bytes) \u2192 None\nHelper function to submit data to the clipboard
"},{"location":"api/gef/#function-use_stdtype","title":"functionuse_stdtype","text":"use_stdtype() \u2192 str\nuse_default_type","text":"use_default_type() \u2192 str\nuse_golang_type","text":"use_golang_type() \u2192 str\nuse_rust_type","text":"use_rust_type() \u2192 str\nto_unsigned_long","text":"to_unsigned_long(v: gdb.Value) \u2192 int\nCast a gdb.Value to unsigned long.
"},{"location":"api/gef/#function-get_path_from_info_proc","title":"functionget_path_from_info_proc","text":"get_path_from_info_proc() \u2192 Optional[str]\nget_os","text":"get_os() \u2192 str\nget_os is DEPRECATED and will be removed in the future. Use gef.session.os
get_filepath","text":"get_filepath() \u2192 Optional[str]\nReturn the local absolute path of the file currently debugged.
"},{"location":"api/gef/#function-get_function_length","title":"functionget_function_length","text":"get_function_length(sym: str) \u2192 int\nAttempt to get the length of the raw bytes of a function.
"},{"location":"api/gef/#function-process_lookup_address","title":"functionprocess_lookup_address","text":"process_lookup_address(address: int) \u2192 Optional[__main__.Section]\nLook up for an address in memory. Return an Address object if found, None otherwise.
"},{"location":"api/gef/#function-xor","title":"functionxor","text":"xor(data: ByteString, key: str) \u2192 bytearray\nReturn data xor-ed with key.
is_hex","text":"is_hex(pattern: str) \u2192 bool\nReturn whether provided string is a hexadecimal value.
"},{"location":"api/gef/#function-continue_handler","title":"functioncontinue_handler","text":"continue_handler(_: 'gdb.ContinueEvent') \u2192 None\nGDB event handler for new object continue cases.
"},{"location":"api/gef/#function-hook_stop_handler","title":"functionhook_stop_handler","text":"hook_stop_handler(_: 'gdb.StopEvent') \u2192 None\nGDB event handler for stop cases.
"},{"location":"api/gef/#function-new_objfile_handler","title":"functionnew_objfile_handler","text":"new_objfile_handler(evt: Optional[ForwardRef('gdb.NewObjFileEvent')]) \u2192 None\nGDB event handler for new object file cases.
"},{"location":"api/gef/#function-exit_handler","title":"functionexit_handler","text":"exit_handler(_: 'gdb.ExitedEvent') \u2192 None\nGDB event handler for exit cases.
"},{"location":"api/gef/#function-memchanged_handler","title":"functionmemchanged_handler","text":"memchanged_handler(_: 'gdb.MemoryChangedEvent') \u2192 None\nGDB event handler for mem changes cases.
"},{"location":"api/gef/#function-regchanged_handler","title":"functionregchanged_handler","text":"regchanged_handler(_: 'gdb.RegisterChangedEvent') \u2192 None\nGDB event handler for reg changes cases.
"},{"location":"api/gef/#function-get_terminal_size","title":"functionget_terminal_size","text":"get_terminal_size() \u2192 Tuple[int, int]\nReturn the current terminal size.
"},{"location":"api/gef/#function-reset_architecture","title":"functionreset_architecture","text":"reset_architecture(arch: Optional[str] = None) \u2192 None\nSets the current architecture. If an architecture is explicitly specified by parameter, try to use that one. If this fails, an OSError exception will occur. If no architecture is specified, then GEF will attempt to determine automatically based on the current ELF target. If this fails, an OSError exception will occur.
get_memory_alignment","text":"get_memory_alignment(in_bits: bool = False) \u2192 int\nTry to determine the size of a pointer on this system. First, try to parse it out of the ELF header. Next, use the size of size_t. Finally, try the size of $pc. If in_bits is set to True, the result is returned in bits, otherwise in bytes. get_memory_alignment is DEPRECATED and will be removed in the future. Use gef.arch.ptrsize instead
clear_screen","text":"clear_screen(tty: str = '') \u2192 None\nClear the screen.
"},{"location":"api/gef/#function-format_address","title":"functionformat_address","text":"format_address(addr: int) \u2192 str\nFormat the address according to its size.
"},{"location":"api/gef/#function-format_address_spaces","title":"functionformat_address_spaces","text":"format_address_spaces(addr: int, left: bool = True) \u2192 str\nFormat the address according to its size, but with spaces instead of zeroes.
"},{"location":"api/gef/#function-align_address","title":"functionalign_address","text":"align_address(address: int) \u2192 int\nAlign the provided address to the process's native length.
"},{"location":"api/gef/#function-align_address_to_size","title":"functionalign_address_to_size","text":"align_address_to_size(address: int, align: int) \u2192 int\nAlign the address to the given size.
"},{"location":"api/gef/#function-align_address_to_page","title":"functionalign_address_to_page","text":"align_address_to_page(address: int) \u2192 int\nAlign the address to a page.
"},{"location":"api/gef/#function-parse_address","title":"functionparse_address","text":"parse_address(address: str) \u2192 int\nParse an address and return it as an Integer.
"},{"location":"api/gef/#function-is_in_x86_kernel","title":"functionis_in_x86_kernel","text":"is_in_x86_kernel(address: int) \u2192 bool\nis_remote_debug","text":"is_remote_debug() \u2192 bool\n\"Return True is the current debugging session is running through GDB remote session.
"},{"location":"api/gef/#function-de_bruijn","title":"functionde_bruijn","text":"de_bruijn(alphabet: bytes, n: int) \u2192 Generator[str, NoneType, NoneType]\nDe Bruijn sequence for alphabet and subsequences of length n (for compat. w/ pwnlib).
"},{"location":"api/gef/#function-generate_cyclic_pattern","title":"functiongenerate_cyclic_pattern","text":"generate_cyclic_pattern(length: int, cycle: int = 4) \u2192 bytearray\nCreate a length byte bytearray of a de Bruijn cyclic pattern.
safe_parse_and_eval","text":"safe_parse_and_eval(value: str) \u2192 Optional[ForwardRef('gdb.Value')]\nGEF wrapper for gdb.parse_and_eval(): this function returns None instead of raising gdb.error if the eval failed.
"},{"location":"api/gef/#function-gef_convenience","title":"functiongef_convenience","text":"gef_convenience(value: Union[str, bytes]) \u2192 str\nDefines a new convenience value.
"},{"location":"api/gef/#function-parse_string_range","title":"functionparse_string_range","text":"parse_string_range(s: str) \u2192 Iterator[int]\nParses an address range (e.g. 0x400000-0x401000)
"},{"location":"api/gef/#function-gef_get_pie_breakpoint","title":"functiongef_get_pie_breakpoint","text":"gef_get_pie_breakpoint(num: int) \u2192 PieVirtualBreakpoint\ngef_get_pie_breakpoint is DEPRECATED and will be removed in the future. Use gef.session.pie_breakpoints[num]
endian_str","text":"endian_str() \u2192 str\nendian_str is DEPRECATED and will be removed in the future. Use str(gef.arch.endianness) instead
get_gef_setting","text":"get_gef_setting(name: str) \u2192 Any\nget_gef_setting is DEPRECATED and will be removed in the future. Use gef.config[key]
set_gef_setting","text":"set_gef_setting(name: str, value: Any) \u2192 None\nset_gef_setting is DEPRECATED and will be removed in the future. Use gef.config[key] = value
gef_getpagesize","text":"gef_getpagesize() \u2192 int\ngef_getpagesize is DEPRECATED and will be removed in the future. Use gef.session.pagesize
gef_read_canary","text":"gef_read_canary() \u2192 Optional[Tuple[int, int]]\ngef_read_canary is DEPRECATED and will be removed in the future. Use gef.session.canary
get_pid","text":"get_pid() \u2192 int\nget_pid is DEPRECATED and will be removed in the future. Use gef.session.pid
get_filename","text":"get_filename() \u2192 str\nget_filename is DEPRECATED and will be removed in the future. Use gef.session.file.name
get_glibc_arena","text":"get_glibc_arena() \u2192 Optional[__main__.GlibcArena]\nget_glibc_arena is DEPRECATED and will be removed in the future. Use gef.heap.main_arena
get_register","text":"get_register(regname) \u2192 Optional[int]\nget_register is DEPRECATED and will be removed in the future. Use gef.arch.register(regname)
get_process_maps","text":"get_process_maps() \u2192 List[__main__.Section]\nget_process_maps is DEPRECATED and will be removed in the future. Use gef.memory.maps
set_arch","text":"set_arch(arch: Optional[str] = None, _: Optional[str] = None) \u2192 None\nset_arch is DEPRECATED and will be removed in the future. Use reset_architecture
register_external_context_pane","text":"register_external_context_pane(\n pane_name: str,\n display_pane_function: Callable[[], NoneType],\n pane_title_function: Callable[[], Optional[str]],\n condition: Optional[Callable[[], bool]] = None\n) \u2192 None\nRegistering function for new GEF Context View. pane_name: a string that has no spaces (used in settings) display_pane_function: a function that uses gef_print() to print strings pane_title_function: a function that returns a string or None, which will be displayed as the title. If None, no title line is displayed. condition: an optional callback: if not None, the callback will be executed first. If it returns true, then only the pane title and content will displayed. Otherwise, it's simply skipped.
Example usage for a simple text to show when we hit a syscall: def only_syscall(): return gef_current_instruction(gef.arch.pc).is_syscall() def display_pane(): gef_print(\"Wow, I am a context pane!\") def pane_title(): return \"example:pane\" register_external_context_pane(\"example_pane\", display_pane, pane_title, only_syscall)
"},{"location":"api/gef/#function-register_external_command","title":"functionregister_external_command","text":"register_external_command(\n cls: Type[ForwardRef('GenericCommand')]\n) \u2192 Type[ForwardRef('GenericCommand')]\nRegistering function for new GEF (sub-)command to GDB. register_external_command is DEPRECATED and will be removed in the future. Use register(), and inherit from GenericCommand instead
register_command","text":"register_command(\n cls: Type[ForwardRef('GenericCommand')]\n) \u2192 Type[ForwardRef('GenericCommand')]\nDecorator for registering new GEF (sub-)command to GDB. register_command is DEPRECATED and will be removed in the future. Use register(), and inherit from GenericCommand instead
register_priority_command","text":"register_priority_command(\n cls: Type[ForwardRef('GenericCommand')]\n) \u2192 Type[ForwardRef('GenericCommand')]\nDecorator for registering new command with priority, meaning that it must loaded before the other generic commands. register_priority_command is DEPRECATED and will be removed in the future.
register","text":"register(\n cls: Union[Type[ForwardRef('GenericCommand')], Type[ForwardRef('GenericFunction')]]\n) \u2192 Union[Type[ForwardRef('GenericCommand')], Type[ForwardRef('GenericFunction')]]\nregister_function","text":"register_function(\n cls: Type[ForwardRef('GenericFunction')]\n) \u2192 Type[ForwardRef('GenericFunction')]\nDecorator for registering a new convenience function to GDB. register_function is DEPRECATED and will be removed in the future.
AARCH64","text":""},{"location":"api/gef/#property-aarch64cpsr","title":"property AARCH64.cpsr","text":""},{"location":"api/gef/#property-aarch64endianness","title":"property AARCH64.endianness","text":""},{"location":"api/gef/#property-aarch64fp","title":"property AARCH64.fp","text":""},{"location":"api/gef/#property-aarch64instruction_length","title":"property AARCH64.instruction_length","text":""},{"location":"api/gef/#property-aarch64pc","title":"property AARCH64.pc","text":""},{"location":"api/gef/#property-aarch64ptrsize","title":"property AARCH64.ptrsize","text":"Determine the size of pointer from the current CPU mode
"},{"location":"api/gef/#property-aarch64registers","title":"property AARCH64.registers","text":""},{"location":"api/gef/#property-aarch64sp","title":"property AARCH64.sp","text":""},{"location":"api/gef/#function-aarch64canary_address","title":"functionAARCH64.canary_address","text":"canary_address() \u2192 int\nAARCH64.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nAARCH64.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-aarch64get_ra","title":"functionAARCH64.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 int\nAARCH64.is_aarch32","text":"is_aarch32() \u2192 bool\nDetermine if the CPU is currently in AARCH32 mode from runtime.
"},{"location":"api/gef/#function-aarch64is_branch_taken","title":"functionAARCH64.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nAARCH64.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nAARCH64.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nAARCH64.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nAARCH64.is_thumb","text":"is_thumb() \u2192 bool\nDetermine if the machine is currently in THUMB mode.
"},{"location":"api/gef/#function-aarch64is_thumb32","title":"functionAARCH64.is_thumb32","text":"is_thumb32() \u2192 bool\nDetermine if the CPU is currently in THUMB32 mode from runtime.
"},{"location":"api/gef/#function-aarch64mprotect_asm","title":"functionAARCH64.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nAARCH64.register","text":"register(name: str) \u2192 int\nAARCH64.reset_caches","text":"reset_caches() \u2192 None\nAARCH64.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ARM","text":""},{"location":"api/gef/#property-armcpsr","title":"property ARM.cpsr","text":""},{"location":"api/gef/#property-armendianness","title":"property ARM.endianness","text":""},{"location":"api/gef/#property-armfp","title":"property ARM.fp","text":""},{"location":"api/gef/#property-arminstruction_length","title":"property ARM.instruction_length","text":""},{"location":"api/gef/#property-armmode","title":"property ARM.mode","text":""},{"location":"api/gef/#property-armpc","title":"property ARM.pc","text":""},{"location":"api/gef/#property-armptrsize","title":"property ARM.ptrsize","text":""},{"location":"api/gef/#property-armregisters","title":"property ARM.registers","text":""},{"location":"api/gef/#property-armsp","title":"property ARM.sp","text":""},{"location":"api/gef/#function-armcanary_address","title":"function ARM.canary_address","text":"canary_address() \u2192 int\nARM.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nARM.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-armget_ra","title":"functionARM.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 int\nARM.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nARM.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nARM.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nARM.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nARM.is_thumb","text":"is_thumb() \u2192 bool\nDetermine if the machine is currently in THUMB mode.
"},{"location":"api/gef/#function-armmprotect_asm","title":"functionARM.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nARM.register","text":"register(name: str) \u2192 int\nARM.reset_caches","text":"reset_caches() \u2192 None\nARM.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ASLRCommand","text":"View/modify the ASLR setting of GDB. By default, GDB will disable ASLR when it starts the process. (i.e. not attached). This command allows to change that setting.
"},{"location":"api/gef/#function-aslrcommand__init__","title":"functionASLRCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-aslrcommandadd_setting","title":"functionASLRCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ASLRCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ASLRCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nASLRCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ASLRCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ASLRCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nASLRCommand.post_load","text":"post_load() \u2192 None\nASLRCommand.pre_load","text":"pre_load() \u2192 None\nASLRCommand.usage","text":"usage() \u2192 None\nAddress","text":"GEF representation of memory addresses.
"},{"location":"api/gef/#function-address__init__","title":"functionAddress.__init__","text":"__init__(**kwargs: Any) \u2192 None\nAddress.dereference","text":"dereference() \u2192 Optional[int]\nAddress.is_in_heap_segment","text":"is_in_heap_segment() \u2192 bool\nAddress.is_in_stack_segment","text":"is_in_stack_segment() \u2192 bool\nAddress.is_in_text_segment","text":"is_in_text_segment() \u2192 bool\nAliasesAddCommand","text":"Command to add aliases.
"},{"location":"api/gef/#function-aliasesaddcommand__init__","title":"functionAliasesAddCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-aliasesaddcommandadd_setting","title":"functionAliasesAddCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
AliasesAddCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
AliasesAddCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nAliasesAddCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
AliasesAddCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
AliasesAddCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nAliasesAddCommand.post_load","text":"post_load() \u2192 None\nAliasesAddCommand.pre_load","text":"pre_load() \u2192 None\nAliasesAddCommand.usage","text":"usage() \u2192 None\nAliasesCommand","text":"Base command to add, remove, or list aliases.
"},{"location":"api/gef/#function-aliasescommand__init__","title":"functionAliasesCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-aliasescommandadd_setting","title":"functionAliasesCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
AliasesCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
AliasesCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nAliasesCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
AliasesCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
AliasesCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nAliasesCommand.post_load","text":"post_load() \u2192 None\nAliasesCommand.pre_load","text":"pre_load() \u2192 None\nAliasesCommand.usage","text":"usage() \u2192 None\nAliasesListCommand","text":"Command to list aliases.
"},{"location":"api/gef/#function-aliaseslistcommand__init__","title":"functionAliasesListCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-aliaseslistcommandadd_setting","title":"functionAliasesListCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
AliasesListCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
AliasesListCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nAliasesListCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
AliasesListCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
AliasesListCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nAliasesListCommand.post_load","text":"post_load() \u2192 None\nAliasesListCommand.pre_load","text":"pre_load() \u2192 None\nAliasesListCommand.usage","text":"usage() \u2192 None\nAliasesRmCommand","text":"Command to remove aliases.
"},{"location":"api/gef/#function-aliasesrmcommand__init__","title":"functionAliasesRmCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-aliasesrmcommandadd_setting","title":"functionAliasesRmCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
AliasesRmCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
AliasesRmCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nAliasesRmCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
AliasesRmCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
AliasesRmCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nAliasesRmCommand.post_load","text":"post_load() \u2192 None\nAliasesRmCommand.pre_load","text":"pre_load() \u2192 None\nAliasesRmCommand.usage","text":"usage() \u2192 None\nArchitecture","text":"Generic metaclass for the architecture supported by GEF.
"},{"location":"api/gef/#property-architectureendianness","title":"property Architecture.endianness","text":""},{"location":"api/gef/#property-architecturefp","title":"property Architecture.fp","text":""},{"location":"api/gef/#property-architecturepc","title":"property Architecture.pc","text":""},{"location":"api/gef/#property-architectureptrsize","title":"property Architecture.ptrsize","text":""},{"location":"api/gef/#property-architectureregisters","title":"property Architecture.registers","text":""},{"location":"api/gef/#property-architecturesp","title":"property Architecture.sp","text":""},{"location":"api/gef/#function-architecturecanary_address","title":"functionArchitecture.canary_address","text":"canary_address() \u2192 int\nArchitecture.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nArchitecture.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-architectureget_ra","title":"functionArchitecture.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nArchitecture.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nArchitecture.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nArchitecture.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nArchitecture.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nArchitecture.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nArchitecture.register","text":"register(name: str) \u2192 int\nArchitecture.reset_caches","text":"reset_caches() \u2192 None\nArchitecture.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ArchitectureBase","text":"Class decorator for declaring an architecture to GEF.
"},{"location":"api/gef/#class-bssbasefunction","title":"classBssBaseFunction","text":"Return the current bss base address plus the given offset.
"},{"location":"api/gef/#function-bssbasefunction__init__","title":"functionBssBaseFunction.__init__","text":"__init__() \u2192 None\nBssBaseFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nBssBaseFunction.do_invoke","text":"do_invoke(args: List) \u2192 int\nBssBaseFunction.invoke","text":"invoke(*args: Any) \u2192 int\nCanaryCommand","text":"Shows the canary value of the current process.
"},{"location":"api/gef/#function-canarycommand__init__","title":"functionCanaryCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-canarycommandadd_setting","title":"functionCanaryCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
CanaryCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
CanaryCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nCanaryCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
CanaryCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
CanaryCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nCanaryCommand.post_load","text":"post_load() \u2192 None\nCanaryCommand.pre_load","text":"pre_load() \u2192 None\nCanaryCommand.usage","text":"usage() \u2192 None\nChangeFdCommand","text":"ChangeFdCommand: redirect file descriptor during runtime.
"},{"location":"api/gef/#function-changefdcommand__init__","title":"functionChangeFdCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-changefdcommandadd_setting","title":"functionChangeFdCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ChangeFdCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ChangeFdCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nChangeFdCommand.get_fd_from_result","text":"get_fd_from_result(res: str) \u2192 int\nChangeFdCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ChangeFdCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ChangeFdCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nChangeFdCommand.post_load","text":"post_load() \u2192 None\nChangeFdCommand.pre_load","text":"pre_load() \u2192 None\nChangeFdCommand.usage","text":"usage() \u2192 None\nChangePermissionBreakpoint","text":"When hit, this temporary breakpoint will restore the original code, and position $pc correctly.
"},{"location":"api/gef/#function-changepermissionbreakpoint__init__","title":"functionChangePermissionBreakpoint.__init__","text":"__init__(loc: str, code: ByteString, pc: int) \u2192 None\nChangePermissionBreakpoint.stop","text":"stop() \u2192 bool\nChecksecCommand","text":"Checksec the security properties of the current executable or passed as argument. The command checks for the following protections: - PIE - NX - RelRO - Glibc Stack Canaries - Fortify Source
"},{"location":"api/gef/#function-checkseccommand__init__","title":"functionChecksecCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-checkseccommandadd_setting","title":"functionChecksecCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ChecksecCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ChecksecCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nChecksecCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ChecksecCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ChecksecCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nChecksecCommand.post_load","text":"post_load() \u2192 None\nChecksecCommand.pre_load","text":"pre_load() \u2192 None\nChecksecCommand.print_security_properties","text":"print_security_properties(filename: str) \u2192 None\nChecksecCommand.usage","text":"usage() \u2192 None\nColor","text":"Used to colorify terminal output.
"},{"location":"api/gef/#function-colorblinkify","title":"functionColor.blinkify","text":"blinkify(msg: str) \u2192 str\nColor.blueify","text":"blueify(msg: str) \u2192 str\nColor.boldify","text":"boldify(msg: str) \u2192 str\nColor.colorify","text":"colorify(text: str, attrs: str) \u2192 str\nColor text according to the given attributes.
"},{"location":"api/gef/#function-colorcyanify","title":"functionColor.cyanify","text":"cyanify(msg: str) \u2192 str\nColor.grayify","text":"grayify(msg: str) \u2192 str\nColor.greenify","text":"greenify(msg: str) \u2192 str\nColor.highlightify","text":"highlightify(msg: str) \u2192 str\nColor.light_grayify","text":"light_grayify(msg: str) \u2192 str\nColor.pinkify","text":"pinkify(msg: str) \u2192 str\nColor.redify","text":"redify(msg: str) \u2192 str\nColor.underlinify","text":"underlinify(msg: str) \u2192 str\nColor.yellowify","text":"yellowify(msg: str) \u2192 str\nContextCommand","text":"Displays a comprehensive and modular summary of runtime context. Unless setting enable is set to False, this command will be spawned automatically every time GDB hits a breakpoint, a watchpoint, or any kind of interrupt. By default, it will show panes that contain the register states, the stack, and the disassembly code around $pc.
ContextCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-contextcommandadd_setting","title":"functionContextCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ContextCommand.addr_has_breakpoint","text":"addr_has_breakpoint(address: int, bp_locations: List[str]) \u2192 bool\nContextCommand.context_additional_information","text":"context_additional_information() \u2192 None\nContextCommand.context_args","text":"context_args() \u2192 None\nContextCommand.context_code","text":"context_code() \u2192 None\nContextCommand.context_memory","text":"context_memory() \u2192 None\nContextCommand.context_regs","text":"context_regs() \u2192 None\nContextCommand.context_source","text":"context_source() \u2192 None\nContextCommand.context_stack","text":"context_stack() \u2192 None\nContextCommand.context_threads","text":"context_threads() \u2192 None\nContextCommand.context_title","text":"context_title(m: Optional[str]) \u2192 None\nContextCommand.context_trace","text":"context_trace() \u2192 None\nContextCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ContextCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nContextCommand.empty_extra_messages","text":"empty_extra_messages(_) \u2192 None\nContextCommand.get_pc_context_info","text":"get_pc_context_info(pc: int, line: str) \u2192 str\nContextCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ContextCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ContextCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nContextCommand.line_has_breakpoint","text":"line_has_breakpoint(\n file_name: str,\n line_number: int,\n bp_locations: List[str]\n) \u2192 bool\nContextCommand.post_load","text":"post_load() \u2192 None\nContextCommand.pre_load","text":"pre_load() \u2192 None\nContextCommand.print_arguments_from_symbol","text":"print_arguments_from_symbol(function_name: str, symbol: 'gdb.Symbol') \u2192 None\nIf symbols were found, parse them and print the argument adequately.
"},{"location":"api/gef/#function-contextcommandprint_guessed_arguments","title":"functionContextCommand.print_guessed_arguments","text":"print_guessed_arguments(function_name: str) \u2192 None\nWhen no symbol, read the current basic block and look for \"interesting\" instructions.
"},{"location":"api/gef/#function-contextcommandshow_legend","title":"functionContextCommand.show_legend","text":"show_legend() \u2192 None\nContextCommand.update_registers","text":"update_registers(_) \u2192 None\nContextCommand.usage","text":"usage() \u2192 None\nDereferenceCommand","text":"Dereference recursively from an address and display information. This acts like WinDBG dps command.
DereferenceCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-dereferencecommandadd_setting","title":"functionDereferenceCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
DereferenceCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
DereferenceCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nDereferenceCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
DereferenceCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
DereferenceCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nDereferenceCommand.post_load","text":"post_load() \u2192 None\nDereferenceCommand.pprint_dereferenced","text":"pprint_dereferenced(addr: int, idx: int, base_offset: int = 0) \u2192 str\nDereferenceCommand.pre_load","text":"pre_load() \u2192 None\nDereferenceCommand.usage","text":"usage() \u2192 None\nDetailRegistersCommand","text":"Display full details on one, many or all registers value from current architecture.
"},{"location":"api/gef/#function-detailregisterscommand__init__","title":"functionDetailRegistersCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-detailregisterscommandadd_setting","title":"functionDetailRegistersCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
DetailRegistersCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
DetailRegistersCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nDetailRegistersCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
DetailRegistersCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
DetailRegistersCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nDetailRegistersCommand.post_load","text":"post_load() \u2192 None\nDetailRegistersCommand.pre_load","text":"pre_load() \u2192 None\nDetailRegistersCommand.usage","text":"usage() \u2192 None\nDisableContextOutputContext","text":""},{"location":"api/gef/#class-elf","title":"class Elf","text":"Basic ELF parsing. Ref: - http://www.skyfree.org/linux/references/ELF_Format.pdf - https://refspecs.linuxfoundation.org/elf/elfspec_ppc.pdf - https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html
"},{"location":"api/gef/#function-elf__init__","title":"functionElf.__init__","text":"__init__(path: Union[str, pathlib.Path]) \u2192 None\nInstantiate an ELF object. A valid ELF must be provided, or an exception will be thrown.
"},{"location":"api/gef/#property-elfchecksec","title":"property Elf.checksec","text":"Check the security property of the ELF binary. The following properties are: - Canary - NX - PIE - Fortify - Partial/Full RelRO. Return a dict() with the different keys mentioned above, and the boolean associated whether the protection was found.
"},{"location":"api/gef/#property-elfentry_point","title":"property Elf.entry_point","text":""},{"location":"api/gef/#function-elfis_valid","title":"functionElf.is_valid","text":"is_valid(path: pathlib.Path) \u2192 bool\nElf.read","text":"read(size: int) \u2192 bytes\nElf.read_and_unpack","text":"read_and_unpack(fmt: str) \u2192 Tuple[Any, ...]\nElf.seek","text":"seek(off: int) \u2192 None\nElfInfoCommand","text":"Display a limited subset of ELF header information. If no argument is provided, the command will show information about the current ELF being debugged.
"},{"location":"api/gef/#function-elfinfocommand__init__","title":"functionElfInfoCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-elfinfocommandadd_setting","title":"functionElfInfoCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ElfInfoCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ElfInfoCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nElfInfoCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ElfInfoCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ElfInfoCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nElfInfoCommand.post_load","text":"post_load() \u2192 None\nElfInfoCommand.pre_load","text":"pre_load() \u2192 None\nElfInfoCommand.usage","text":"usage() \u2192 None\nEndianness","text":"An enumeration.
"},{"location":"api/gef/#class-entrybreakbreakpoint","title":"classEntryBreakBreakpoint","text":"Breakpoint used internally to stop execution at the most convenient entry point.
"},{"location":"api/gef/#function-entrybreakbreakpoint__init__","title":"functionEntryBreakBreakpoint.__init__","text":"__init__(location: str) \u2192 None\nEntryBreakBreakpoint.stop","text":"stop() \u2192 bool\nEntryPointBreakCommand","text":"Tries to find best entry point and sets a temporary breakpoint on it. The command will test for well-known symbols for entry points, such as main, _main, __libc_start_main, etc. defined by the setting entrypoint_symbols.
EntryPointBreakCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-entrypointbreakcommandadd_setting","title":"functionEntryPointBreakCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
EntryPointBreakCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
EntryPointBreakCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nEntryPointBreakCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
EntryPointBreakCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
EntryPointBreakCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nEntryPointBreakCommand.post_load","text":"post_load() \u2192 None\nEntryPointBreakCommand.pre_load","text":"pre_load() \u2192 None\nEntryPointBreakCommand.set_init_tbreak","text":"set_init_tbreak(addr: int) \u2192 EntryBreakBreakpoint\nEntryPointBreakCommand.set_init_tbreak_pie","text":"set_init_tbreak_pie(addr: int, argv: List[str]) \u2192 EntryBreakBreakpoint\nEntryPointBreakCommand.usage","text":"usage() \u2192 None\nExternalStructureManager","text":""},{"location":"api/gef/#function-externalstructuremanager__init__","title":"function ExternalStructureManager.__init__","text":"__init__() \u2192 None\nExternalStructureManager.clear_caches","text":"clear_caches() \u2192 None\nFileFormat","text":""},{"location":"api/gef/#function-fileformat__init__","title":"function FileFormat.__init__","text":"__init__(path: Union[str, pathlib.Path]) \u2192 None\nFileFormat.is_valid","text":"is_valid(path: pathlib.Path) \u2192 bool\nFileFormatSection","text":""},{"location":"api/gef/#class-flagscommand","title":"class FlagsCommand","text":"Edit flags in a human friendly way.
"},{"location":"api/gef/#function-flagscommand__init__","title":"functionFlagsCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-flagscommandadd_setting","title":"functionFlagsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
FlagsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
FlagsCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nFlagsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
FlagsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
FlagsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nFlagsCommand.post_load","text":"post_load() \u2192 None\nFlagsCommand.pre_load","text":"pre_load() \u2192 None\nFlagsCommand.usage","text":"usage() \u2192 None\nFormatStringBreakpoint","text":"Inspect stack for format string.
"},{"location":"api/gef/#function-formatstringbreakpoint__init__","title":"functionFormatStringBreakpoint.__init__","text":"__init__(spec: str, num_args: int) \u2192 None\nFormatStringBreakpoint.stop","text":"stop() \u2192 bool\nFormatStringSearchCommand","text":"Exploitable format-string helper: this command will set up specific breakpoints at well-known dangerous functions (printf, snprintf, etc.), and check if the pointer holding the format string is writable, and therefore susceptible to format string attacks if an attacker can control its content.
"},{"location":"api/gef/#function-formatstringsearchcommand__init__","title":"functionFormatStringSearchCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-formatstringsearchcommandadd_setting","title":"functionFormatStringSearchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
FormatStringSearchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
FormatStringSearchCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nFormatStringSearchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
FormatStringSearchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
FormatStringSearchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nFormatStringSearchCommand.post_load","text":"post_load() \u2192 None\nFormatStringSearchCommand.pre_load","text":"pre_load() \u2192 None\nFormatStringSearchCommand.usage","text":"usage() \u2192 None\nGdbRemoveReadlineFinder","text":""},{"location":"api/gef/#function-gdbremovereadlinefinderfind_module","title":"function GdbRemoveReadlineFinder.find_module","text":"find_module(fullname, path=None)\nGdbRemoveReadlineFinder.load_module","text":"load_module(fullname)\nGef","text":"The GEF root class, which serves as a entrypoint for all the debugging session attributes (architecture, memory, settings, etc.).
"},{"location":"api/gef/#function-gef__init__","title":"functionGef.__init__","text":"__init__() \u2192 None\nGef.reinitialize_managers","text":"reinitialize_managers() \u2192 None\nReinitialize the managers. Avoid calling this function directly, using pi reset() is preferred
Gef.reset_caches","text":"reset_caches() \u2192 None\nRecursively clean the cache of all the managers. Avoid calling this function directly, using reset-cache is preferred
Gef.setup","text":"setup() \u2192 None\nSetup initialize the runtime setup, which may require for the gef to be not None.
GefAlias","text":"Simple aliasing wrapper because GDB doesn't do what it should.
"},{"location":"api/gef/#function-gefalias__init__","title":"functionGefAlias.__init__","text":"__init__(\n alias: str,\n command: str,\n completer_class: int = 0,\n command_class: int = -1\n) \u2192 None\nGefAlias.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefAlias.lookup_command","text":"lookup_command(cmd: str) \u2192 Optional[Tuple[str, __main__.GenericCommand]]\nGefCommand","text":"GEF main command: view all new commands by typing gef.
GefCommand.__init__","text":"__init__() \u2192 None\nGefCommand.add_context_pane","text":"add_context_pane(\n pane_name: str,\n display_pane_function: Callable,\n pane_title_function: Callable,\n condition: Optional[Callable]\n) \u2192 None\nAdd a new context pane to ContextCommand.
"},{"location":"api/gef/#function-gefcommandinvoke","title":"functionGefCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefCommand.load","text":"load() \u2192 None\nLoad all the commands and functions defined by GEF into GDB.
"},{"location":"api/gef/#function-gefcommandload_extra_plugins","title":"functionGefCommand.load_extra_plugins","text":"load_extra_plugins() \u2192 int\nGefCommand.setup","text":"setup() \u2192 None\nGefCommand.show_banner","text":"show_banner() \u2192 None\nGefConfigCommand","text":"GEF configuration sub-command This command will help set/view GEF settings for the current debugging session. It is possible to make those changes permanent by running gef save (refer to this command help), and/or restore previously saved settings by running gef restore (refer help).
GefConfigCommand.__init__","text":"__init__() \u2192 None\nGefConfigCommand.complete","text":"complete(text: str, word: str) \u2192 List[str]\nGefConfigCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGefConfigCommand.print_setting","text":"print_setting(plugin_name: str, verbose: bool = False) \u2192 None\nGefConfigCommand.print_settings","text":"print_settings() \u2192 None\nGefConfigCommand.set_setting","text":"set_setting(argv: Tuple[str, Any]) \u2192 None\nGefFunctionsCommand","text":"List the convenience functions provided by GEF.
"},{"location":"api/gef/#function-geffunctionscommand__init__","title":"functionGefFunctionsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-geffunctionscommandadd_setting","title":"functionGefFunctionsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GefFunctionsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GefFunctionsCommand.do_invoke","text":"do_invoke(argv) \u2192 None\nGefFunctionsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GefFunctionsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GefFunctionsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGefFunctionsCommand.post_load","text":"post_load() \u2192 None\nGefFunctionsCommand.pre_load","text":"pre_load() \u2192 None\nGefFunctionsCommand.usage","text":"usage() \u2192 None\nGefHeapManager","text":"Class managing session heap.
"},{"location":"api/gef/#function-gefheapmanager__init__","title":"functionGefHeapManager.__init__","text":"__init__() \u2192 None\nGefHeapManager.csize2tidx","text":"csize2tidx(size: int) \u2192 int\nGefHeapManager.malloc_align_address","text":"malloc_align_address(address: int) \u2192 int\nAlign addresses according to glibc's MALLOC_ALIGNMENT. See also Issue #689 on Github
"},{"location":"api/gef/#function-gefheapmanagerreset_caches","title":"functionGefHeapManager.reset_caches","text":"reset_caches() \u2192 None\nGefHeapManager.tidx2size","text":"tidx2size(idx: int) \u2192 int\nGefHelpCommand","text":"GEF help sub-command.
"},{"location":"api/gef/#function-gefhelpcommand__init__","title":"functionGefHelpCommand.__init__","text":"__init__() \u2192 None\nGefHelpCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefInstallExtraScriptCommand","text":"gef install command: installs one or more scripts from the gef-extras script repo. Note that the command doesn't check for external dependencies the script(s) might require.
GefInstallExtraScriptCommand.__init__","text":"__init__() \u2192 None\nGefInstallExtraScriptCommand.invoke","text":"invoke(argv: str, from_tty: bool) \u2192 None\nGefLibcManager","text":"Class managing everything libc-related (except heap).
"},{"location":"api/gef/#function-geflibcmanager__init__","title":"functionGefLibcManager.__init__","text":"__init__() \u2192 None\nGefLibcManager.reset_caches","text":"reset_caches() \u2192 None\nReset the LRU-cached attributes
"},{"location":"api/gef/#class-gefmanager","title":"classGefManager","text":""},{"location":"api/gef/#function-gefmanagerreset_caches","title":"function GefManager.reset_caches","text":"reset_caches() \u2192 None\nReset the LRU-cached attributes
"},{"location":"api/gef/#class-gefmemorymanager","title":"classGefMemoryManager","text":"Class that manages memory access for gef.
"},{"location":"api/gef/#function-gefmemorymanager__init__","title":"functionGefMemoryManager.__init__","text":"__init__() \u2192 None\nGefMemoryManager.read","text":"read(addr: int, length: int = 16) \u2192 bytes\nReturn a length long byte array with the copy of the process memory at addr.
GefMemoryManager.read_ascii_string","text":"read_ascii_string(address: int) \u2192 Optional[str]\nRead an ASCII string from memory
"},{"location":"api/gef/#function-gefmemorymanagerread_cstring","title":"functionGefMemoryManager.read_cstring","text":"read_cstring(\n address: int,\n max_length: int = 50,\n encoding: Optional[str] = None\n) \u2192 str\nReturn a C-string read from memory.
"},{"location":"api/gef/#function-gefmemorymanagerread_integer","title":"functionGefMemoryManager.read_integer","text":"read_integer(addr: int) \u2192 int\nReturn an integer read from memory.
"},{"location":"api/gef/#function-gefmemorymanagerreset_caches","title":"functionGefMemoryManager.reset_caches","text":"reset_caches() \u2192 None\nGefMemoryManager.write","text":"write(address: int, buffer: ByteString, length: Optional[int] = None) \u2192 None\nWrite buffer at address address.
GefMissingCommand","text":"GEF missing sub-command Display the GEF commands that could not be loaded, along with the reason of why they could not be loaded.
"},{"location":"api/gef/#function-gefmissingcommand__init__","title":"functionGefMissingCommand.__init__","text":"__init__() \u2192 None\nGefMissingCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefRemoteSessionManager","text":"Class for managing remote sessions with GEF. It will create a temporary environment designed to clone the remote one.
"},{"location":"api/gef/#function-gefremotesessionmanager__init__","title":"functionGefRemoteSessionManager.__init__","text":"__init__(\n host: str,\n port: int,\n pid: int = -1,\n qemu: Optional[pathlib.Path] = None\n) \u2192 None\nReturn a tuple of the canary address and value, read from the canonical location if supported by the architecture. Otherwise, read from the auxiliary vector.
"},{"location":"api/gef/#property-gefremotesessionmanagercwd","title":"property GefRemoteSessionManager.cwd","text":""},{"location":"api/gef/#property-gefremotesessionmanagerfile","title":"property GefRemoteSessionManager.file","text":"Path to the file being debugged as seen by the remote endpoint.
"},{"location":"api/gef/#property-gefremotesessionmanagerlfile","title":"property GefRemoteSessionManager.lfile","text":"Local path to the file being debugged.
"},{"location":"api/gef/#property-gefremotesessionmanagermaps","title":"property GefRemoteSessionManager.maps","text":""},{"location":"api/gef/#property-gefremotesessionmanageroriginal_canary","title":"property GefRemoteSessionManager.original_canary","text":"Return a tuple of the initial canary address and value, read from the auxiliary vector.
"},{"location":"api/gef/#property-gefremotesessionmanageros","title":"property GefRemoteSessionManager.os","text":"Return the current OS.
"},{"location":"api/gef/#property-gefremotesessionmanagerpagesize","title":"property GefRemoteSessionManager.pagesize","text":"Get the system page size
"},{"location":"api/gef/#property-gefremotesessionmanagerpid","title":"property GefRemoteSessionManager.pid","text":"Return the PID of the target process.
"},{"location":"api/gef/#property-gefremotesessionmanagerroot","title":"property GefRemoteSessionManager.root","text":""},{"location":"api/gef/#property-gefremotesessionmanagertarget","title":"property GefRemoteSessionManager.target","text":""},{"location":"api/gef/#function-gefremotesessionmanagerclose","title":"functionGefRemoteSessionManager.close","text":"close() \u2192 None\nGefRemoteSessionManager.connect","text":"connect(pid: int) \u2192 bool\nConnect to remote target. If in extended mode, also attach to the given PID.
"},{"location":"api/gef/#function-gefremotesessionmanagerin_qemu_user","title":"functionGefRemoteSessionManager.in_qemu_user","text":"in_qemu_user() \u2192 bool\nGefRemoteSessionManager.remote_objfile_event_handler","text":"remote_objfile_event_handler(evt: 'gdb.NewObjFileEvent') \u2192 None\nGefRemoteSessionManager.reset_caches","text":"reset_caches() \u2192 None\nGefRemoteSessionManager.setup","text":"setup() \u2192 bool\nGefRemoteSessionManager.sync","text":"sync(src: str, dst: Optional[str] = None) \u2192 bool\nCopy the src into the temporary chroot. If dst is provided, that path will be used instead of src.
GefRestoreCommand","text":"GEF restore sub-command. Loads settings from file '~/.gef.rc' and apply them to the configuration of GEF.
"},{"location":"api/gef/#function-gefrestorecommand__init__","title":"functionGefRestoreCommand.__init__","text":"__init__() \u2192 None\nGefRestoreCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGefRestoreCommand.reload","text":"reload(quiet: bool)\nGefRunCommand","text":"Override GDB run commands with the context from GEF. Simple wrapper for GDB run command to use arguments set from gef set args.
GefRunCommand.__init__","text":"__init__() \u2192 None\nGefRunCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefSaveCommand","text":"GEF save sub-command. Saves the current configuration of GEF to disk (by default in file '~/.gef.rc').
"},{"location":"api/gef/#function-gefsavecommand__init__","title":"functionGefSaveCommand.__init__","text":"__init__() \u2192 None\nGefSaveCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefSessionManager","text":"Class managing the runtime properties of GEF.
"},{"location":"api/gef/#function-gefsessionmanager__init__","title":"functionGefSessionManager.__init__","text":"__init__() \u2192 None\nReturn a tuple of the canary address and value, read from the canonical location if supported by the architecture. Otherwise, read from the auxiliary vector.
"},{"location":"api/gef/#property-gefsessionmanagercwd","title":"property GefSessionManager.cwd","text":""},{"location":"api/gef/#property-gefsessionmanagerfile","title":"property GefSessionManager.file","text":"Return a Path object of the target process.
"},{"location":"api/gef/#property-gefsessionmanagermaps","title":"property GefSessionManager.maps","text":"Returns the Path to the procfs entry for the memory mapping.
"},{"location":"api/gef/#property-gefsessionmanageroriginal_canary","title":"property GefSessionManager.original_canary","text":"Return a tuple of the initial canary address and value, read from the auxiliary vector.
"},{"location":"api/gef/#property-gefsessionmanageros","title":"property GefSessionManager.os","text":"Return the current OS.
"},{"location":"api/gef/#property-gefsessionmanagerpagesize","title":"property GefSessionManager.pagesize","text":"Get the system page size
"},{"location":"api/gef/#property-gefsessionmanagerpid","title":"property GefSessionManager.pid","text":"Return the PID of the target process.
"},{"location":"api/gef/#property-gefsessionmanagerroot","title":"property GefSessionManager.root","text":"Returns the path to the process's root directory.
"},{"location":"api/gef/#function-gefsessionmanagerreset_caches","title":"functionGefSessionManager.reset_caches","text":"reset_caches() \u2192 None\nGefSetCommand","text":"Override GDB set commands with the context from GEF.
"},{"location":"api/gef/#function-gefsetcommand__init__","title":"functionGefSetCommand.__init__","text":"__init__() \u2192 None\nGefSetCommand.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefSetting","text":"Basic class for storing gef settings as objects
"},{"location":"api/gef/#function-gefsetting__init__","title":"functionGefSetting.__init__","text":"__init__(\n value: Any,\n cls: Optional[type] = None,\n description: Optional[str] = None,\n hooks: Optional[Dict[str, Callable]] = None\n) \u2192 None\nGefSettingsManager","text":"GefSettings acts as a dict where the global settings are stored and can be read, written or deleted as any other dict. For instance, to read a specific command setting: gef.config[mycommand.mysetting]
GefSettingsManager.raw_entry","text":"raw_entry(name: str) \u2192 GefSetting\nGefThemeCommand","text":"Customize GEF appearance.
"},{"location":"api/gef/#function-gefthemecommand__init__","title":"functionGefThemeCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-gefthemecommandadd_setting","title":"functionGefThemeCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GefThemeCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GefThemeCommand.do_invoke","text":"do_invoke(args: List[str]) \u2192 None\nGefThemeCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GefThemeCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GefThemeCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGefThemeCommand.post_load","text":"post_load() \u2192 None\nGefThemeCommand.pre_load","text":"pre_load() \u2192 None\nGefThemeCommand.usage","text":"usage() \u2192 None\nGefTmuxSetup","text":"Setup a confortable tmux debugging environment.
"},{"location":"api/gef/#function-geftmuxsetup__init__","title":"functionGefTmuxSetup.__init__","text":"__init__() \u2192 None\nGefTmuxSetup.invoke","text":"invoke(args: Any, from_tty: bool) \u2192 None\nGefTmuxSetup.screen_setup","text":"screen_setup() \u2192 None\nHackish equivalent of the tmux_setup() function for screen.
"},{"location":"api/gef/#function-geftmuxsetuptmux_setup","title":"functionGefTmuxSetup.tmux_setup","text":"tmux_setup() \u2192 None\nPrepare the tmux environment by vertically splitting the current pane, and forcing the context to be redirected there.
"},{"location":"api/gef/#class-gefuimanager","title":"classGefUiManager","text":"Class managing UI settings.
"},{"location":"api/gef/#function-gefuimanager__init__","title":"functionGefUiManager.__init__","text":"__init__() \u2192 None\nGefUiManager.reset_caches","text":"reset_caches() \u2192 None\nReset the LRU-cached attributes
"},{"location":"api/gef/#class-genericarchitecture","title":"classGenericArchitecture","text":""},{"location":"api/gef/#property-genericarchitectureendianness","title":"property GenericArchitecture.endianness","text":""},{"location":"api/gef/#property-genericarchitecturefp","title":"property GenericArchitecture.fp","text":""},{"location":"api/gef/#property-genericarchitecturepc","title":"property GenericArchitecture.pc","text":""},{"location":"api/gef/#property-genericarchitectureptrsize","title":"property GenericArchitecture.ptrsize","text":""},{"location":"api/gef/#property-genericarchitectureregisters","title":"property GenericArchitecture.registers","text":""},{"location":"api/gef/#property-genericarchitecturesp","title":"property GenericArchitecture.sp","text":""},{"location":"api/gef/#function-genericarchitecturecanary_address","title":"function GenericArchitecture.canary_address","text":"canary_address() \u2192 int\nGenericArchitecture.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nGenericArchitecture.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-genericarchitectureget_ra","title":"functionGenericArchitecture.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nGenericArchitecture.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nGenericArchitecture.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nGenericArchitecture.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nGenericArchitecture.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nGenericArchitecture.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nGenericArchitecture.register","text":"register(name: str) \u2192 int\nGenericArchitecture.reset_caches","text":"reset_caches() \u2192 None\nGenericArchitecture.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
GenericCommand","text":"This is an abstract class for invoking commands, should not be instantiated.
"},{"location":"api/gef/#function-genericcommand__init__","title":"functionGenericCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-genericcommandadd_setting","title":"functionGenericCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GenericCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GenericCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nGenericCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GenericCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GenericCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGenericCommand.post_load","text":"post_load() \u2192 None\nGenericCommand.pre_load","text":"pre_load() \u2192 None\nGenericCommand.usage","text":"usage() \u2192 None\nGenericFunction","text":"This is an abstract class for invoking convenience functions, should not be instantiated.
"},{"location":"api/gef/#function-genericfunction__init__","title":"functionGenericFunction.__init__","text":"__init__() \u2192 None\nGenericFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nGenericFunction.do_invoke","text":"do_invoke(args: Any) \u2192 int\nGenericFunction.invoke","text":"invoke(*args: Any) \u2192 int\nGlibcArena","text":"Glibc arena class
"},{"location":"api/gef/#function-glibcarena__init__","title":"functionGlibcArena.__init__","text":"__init__(addr: str) \u2192 None\nGlibcArena.bin","text":"bin(i: int) \u2192 Tuple[int, int]\nGlibcArena.bin_at","text":"bin_at(i) \u2192 int\nGlibcArena.fastbin","text":"fastbin(i: int) \u2192 Optional[ForwardRef('GlibcFastChunk')]\nReturn head chunk in fastbinsY[i].
"},{"location":"api/gef/#function-glibcarenaget_heap_for_ptr","title":"functionGlibcArena.get_heap_for_ptr","text":"get_heap_for_ptr(ptr: int) \u2192 int\nFind the corresponding heap for a given pointer (int). See https://github.com/bminor/glibc/blob/glibc-2.34/malloc/arena.c#L129
"},{"location":"api/gef/#function-glibcarenaget_heap_info_list","title":"functionGlibcArena.get_heap_info_list","text":"get_heap_info_list() \u2192 Optional[List[__main__.GlibcHeapInfo]]\nGlibcArena.heap_addr","text":"heap_addr(allow_unaligned: bool = False) \u2192 Optional[int]\nGlibcArena.is_main_arena","text":"is_main_arena() \u2192 bool\nGlibcArena.malloc_state_t","text":"malloc_state_t() \u2192 Type[_ctypes.Structure]\nGlibcArena.reset","text":"reset()\nGlibcArena.verify","text":"verify(addr: int) \u2192 bool\nVerify that the address matches a possible valid GlibcArena
"},{"location":"api/gef/#class-glibcchunk","title":"classGlibcChunk","text":"Glibc chunk class. The default behavior (from_base=False) is to interpret the data starting at the memory address pointed to as the chunk data. Setting from_base to True instead treats that data as the chunk header. Ref: https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/.
"},{"location":"api/gef/#function-glibcchunk__init__","title":"functionGlibcChunk.__init__","text":"__init__(\n addr: int,\n from_base: bool = False,\n allow_unaligned: bool = True\n) \u2192 None\nGlibcChunk.get_next_chunk","text":"get_next_chunk(allow_unaligned: bool = False) \u2192 GlibcChunk\nGlibcChunk.get_next_chunk_addr","text":"get_next_chunk_addr() \u2192 int\nGlibcChunk.get_prev_chunk_size","text":"get_prev_chunk_size() \u2192 int\nGlibcChunk.get_usable_size","text":"get_usable_size() \u2192 int\nGlibcChunk.has_m_bit","text":"has_m_bit() \u2192 bool\nGlibcChunk.has_n_bit","text":"has_n_bit() \u2192 bool\nGlibcChunk.has_p_bit","text":"has_p_bit() \u2192 bool\nGlibcChunk.is_used","text":"is_used() \u2192 bool\nCheck if the current block is used by: - checking the M bit is true - or checking that next chunk PREV_INUSE flag is true
"},{"location":"api/gef/#function-glibcchunkmalloc_chunk_t","title":"functionGlibcChunk.malloc_chunk_t","text":"malloc_chunk_t() \u2192 Type[_ctypes.Structure]\nGlibcChunk.psprint","text":"psprint() \u2192 str\nGlibcChunk.reset","text":"reset()\nGlibcFastChunk","text":""},{"location":"api/gef/#function-glibcfastchunk__init__","title":"function GlibcFastChunk.__init__","text":"__init__(\n addr: int,\n from_base: bool = False,\n allow_unaligned: bool = True\n) \u2192 None\nGlibcFastChunk.get_next_chunk","text":"get_next_chunk(allow_unaligned: bool = False) \u2192 GlibcChunk\nGlibcFastChunk.get_next_chunk_addr","text":"get_next_chunk_addr() \u2192 int\nGlibcFastChunk.get_prev_chunk_size","text":"get_prev_chunk_size() \u2192 int\nGlibcFastChunk.get_usable_size","text":"get_usable_size() \u2192 int\nGlibcFastChunk.has_m_bit","text":"has_m_bit() \u2192 bool\nGlibcFastChunk.has_n_bit","text":"has_n_bit() \u2192 bool\nGlibcFastChunk.has_p_bit","text":"has_p_bit() \u2192 bool\nGlibcFastChunk.is_used","text":"is_used() \u2192 bool\nCheck if the current block is used by: - checking the M bit is true - or checking that next chunk PREV_INUSE flag is true
"},{"location":"api/gef/#function-glibcfastchunkmalloc_chunk_t","title":"functionGlibcFastChunk.malloc_chunk_t","text":"malloc_chunk_t() \u2192 Type[_ctypes.Structure]\nGlibcFastChunk.protect_ptr","text":"protect_ptr(pos: int, pointer: int) \u2192 int\nhttps://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L339
"},{"location":"api/gef/#function-glibcfastchunkpsprint","title":"functionGlibcFastChunk.psprint","text":"psprint() \u2192 str\nGlibcFastChunk.reset","text":"reset()\nGlibcFastChunk.reveal_ptr","text":"reveal_ptr(pointer: int) \u2192 int\nhttps://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L341
"},{"location":"api/gef/#class-glibcheaparenacommand","title":"classGlibcHeapArenaCommand","text":"Display information on a heap chunk.
"},{"location":"api/gef/#function-glibcheaparenacommand__init__","title":"functionGlibcHeapArenaCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheaparenacommandadd_setting","title":"functionGlibcHeapArenaCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapArenaCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapArenaCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nGlibcHeapArenaCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapArenaCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapArenaCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapArenaCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapArenaCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapArenaCommand.usage","text":"usage() \u2192 None\nGlibcHeapBinsCommand","text":"Display information on the bins on an arena (default: main_arena). See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
"},{"location":"api/gef/#function-glibcheapbinscommand__init__","title":"functionGlibcHeapBinsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapbinscommandadd_setting","title":"functionGlibcHeapBinsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapBinsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapBinsCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nGlibcHeapBinsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapBinsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapBinsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapBinsCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapBinsCommand.pprint_bin","text":"pprint_bin(arena_addr: str, index: int, _type: str = '') \u2192 int\nGlibcHeapBinsCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapBinsCommand.usage","text":"usage() \u2192 None\nGlibcHeapChunkCommand","text":"Display information on a heap chunk. See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
"},{"location":"api/gef/#function-glibcheapchunkcommand__init__","title":"functionGlibcHeapChunkCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapchunkcommandadd_setting","title":"functionGlibcHeapChunkCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapChunkCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapChunkCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapChunkCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapChunkCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapChunkCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapChunkCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapChunkCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapChunkCommand.usage","text":"usage() \u2192 None\nGlibcHeapChunksCommand","text":"Display all heap chunks for the current arena. As an optional argument the base address of a different arena can be passed
"},{"location":"api/gef/#function-glibcheapchunkscommand__init__","title":"functionGlibcHeapChunksCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapchunkscommandadd_setting","title":"functionGlibcHeapChunksCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapChunksCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapChunksCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapChunksCommand.dump_chunks_arena","text":"dump_chunks_arena(\n arena: __main__.GlibcArena,\n print_arena: bool = False,\n allow_unaligned: bool = False\n) \u2192 None\nGlibcHeapChunksCommand.dump_chunks_heap","text":"dump_chunks_heap(\n start: int,\n end: int,\n arena: __main__.GlibcArena,\n allow_unaligned: bool = False\n) \u2192 bool\nGlibcHeapChunksCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapChunksCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapChunksCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapChunksCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapChunksCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapChunksCommand.usage","text":"usage() \u2192 None\nGlibcHeapCommand","text":"Base command to get information about the Glibc heap structure.
"},{"location":"api/gef/#function-glibcheapcommand__init__","title":"functionGlibcHeapCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapcommandadd_setting","title":"functionGlibcHeapCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nGlibcHeapCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapCommand.usage","text":"usage() \u2192 None\nGlibcHeapFastbinsYCommand","text":"Display information on the fastbinsY on an arena (default: main_arena). See https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1123.
"},{"location":"api/gef/#function-glibcheapfastbinsycommand__init__","title":"functionGlibcHeapFastbinsYCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapfastbinsycommandadd_setting","title":"functionGlibcHeapFastbinsYCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapFastbinsYCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapFastbinsYCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapFastbinsYCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapFastbinsYCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapFastbinsYCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapFastbinsYCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapFastbinsYCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapFastbinsYCommand.usage","text":"usage() \u2192 None\nGlibcHeapInfo","text":"Glibc heap_info struct
"},{"location":"api/gef/#function-glibcheapinfo__init__","title":"functionGlibcHeapInfo.__init__","text":"__init__(addr: Union[str, int]) \u2192 None\nGlibcHeapInfo.heap_info_t","text":"heap_info_t() \u2192 Type[_ctypes.Structure]\nGlibcHeapInfo.reset","text":"reset()\nGlibcHeapLargeBinsCommand","text":"Convenience command for viewing large bins.
"},{"location":"api/gef/#function-glibcheaplargebinscommand__init__","title":"functionGlibcHeapLargeBinsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheaplargebinscommandadd_setting","title":"functionGlibcHeapLargeBinsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapLargeBinsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapLargeBinsCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapLargeBinsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapLargeBinsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapLargeBinsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapLargeBinsCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapLargeBinsCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapLargeBinsCommand.usage","text":"usage() \u2192 None\nGlibcHeapSetArenaCommand","text":"Set the address of the main_arena or the currently selected arena.
"},{"location":"api/gef/#function-glibcheapsetarenacommand__init__","title":"functionGlibcHeapSetArenaCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapsetarenacommandadd_setting","title":"functionGlibcHeapSetArenaCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapSetArenaCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapSetArenaCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapSetArenaCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapSetArenaCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapSetArenaCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapSetArenaCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapSetArenaCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapSetArenaCommand.usage","text":"usage() \u2192 None\nGlibcHeapSmallBinsCommand","text":"Convenience command for viewing small bins.
"},{"location":"api/gef/#function-glibcheapsmallbinscommand__init__","title":"functionGlibcHeapSmallBinsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapsmallbinscommandadd_setting","title":"functionGlibcHeapSmallBinsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapSmallBinsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapSmallBinsCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapSmallBinsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapSmallBinsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapSmallBinsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapSmallBinsCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapSmallBinsCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapSmallBinsCommand.usage","text":"usage() \u2192 None\nGlibcHeapTcachebinsCommand","text":"Display information on the Tcachebins on an arena (default: main_arena). See https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc.
"},{"location":"api/gef/#function-glibcheaptcachebinscommand__init__","title":"functionGlibcHeapTcachebinsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheaptcachebinscommandadd_setting","title":"functionGlibcHeapTcachebinsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapTcachebinsCommand.check_thread_ids","text":"check_thread_ids(tids: List[int]) \u2192 List[int]\nReturn the subset of tids that are currently valid.
"},{"location":"api/gef/#function-glibcheaptcachebinscommanddel_setting","title":"functionGlibcHeapTcachebinsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapTcachebinsCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nGlibcHeapTcachebinsCommand.find_tcache","text":"find_tcache() \u2192 int\nReturn the location of the current thread's tcache.
"},{"location":"api/gef/#function-glibcheaptcachebinscommandget_setting","title":"functionGlibcHeapTcachebinsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapTcachebinsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapTcachebinsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapTcachebinsCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapTcachebinsCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapTcachebinsCommand.tcachebin","text":"tcachebin(\n tcache_base: int,\n i: int\n) \u2192 Tuple[Optional[__main__.GlibcTcacheChunk], int]\nReturn the head chunk in tcache[i] and the number of chunks in the bin.
"},{"location":"api/gef/#function-glibcheaptcachebinscommandusage","title":"functionGlibcHeapTcachebinsCommand.usage","text":"usage() \u2192 None\nGlibcHeapUnsortedBinsCommand","text":"Display information on the Unsorted Bins of an arena (default: main_arena). See: https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1689.
"},{"location":"api/gef/#function-glibcheapunsortedbinscommand__init__","title":"functionGlibcHeapUnsortedBinsCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-glibcheapunsortedbinscommandadd_setting","title":"functionGlibcHeapUnsortedBinsCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GlibcHeapUnsortedBinsCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GlibcHeapUnsortedBinsCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nGlibcHeapUnsortedBinsCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GlibcHeapUnsortedBinsCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GlibcHeapUnsortedBinsCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGlibcHeapUnsortedBinsCommand.post_load","text":"post_load() \u2192 None\nGlibcHeapUnsortedBinsCommand.pre_load","text":"pre_load() \u2192 None\nGlibcHeapUnsortedBinsCommand.usage","text":"usage() \u2192 None\nGlibcTcacheChunk","text":""},{"location":"api/gef/#function-glibctcachechunk__init__","title":"function GlibcTcacheChunk.__init__","text":"__init__(\n addr: int,\n from_base: bool = False,\n allow_unaligned: bool = True\n) \u2192 None\nGlibcTcacheChunk.get_next_chunk","text":"get_next_chunk(allow_unaligned: bool = False) \u2192 GlibcChunk\nGlibcTcacheChunk.get_next_chunk_addr","text":"get_next_chunk_addr() \u2192 int\nGlibcTcacheChunk.get_prev_chunk_size","text":"get_prev_chunk_size() \u2192 int\nGlibcTcacheChunk.get_usable_size","text":"get_usable_size() \u2192 int\nGlibcTcacheChunk.has_m_bit","text":"has_m_bit() \u2192 bool\nGlibcTcacheChunk.has_n_bit","text":"has_n_bit() \u2192 bool\nGlibcTcacheChunk.has_p_bit","text":"has_p_bit() \u2192 bool\nGlibcTcacheChunk.is_used","text":"is_used() \u2192 bool\nCheck if the current block is used by: - checking the M bit is true - or checking that next chunk PREV_INUSE flag is true
"},{"location":"api/gef/#function-glibctcachechunkmalloc_chunk_t","title":"functionGlibcTcacheChunk.malloc_chunk_t","text":"malloc_chunk_t() \u2192 Type[_ctypes.Structure]\nGlibcTcacheChunk.protect_ptr","text":"protect_ptr(pos: int, pointer: int) \u2192 int\nhttps://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L339
"},{"location":"api/gef/#function-glibctcachechunkpsprint","title":"functionGlibcTcacheChunk.psprint","text":"psprint() \u2192 str\nGlibcTcacheChunk.reset","text":"reset()\nGlibcTcacheChunk.reveal_ptr","text":"reveal_ptr(pointer: int) \u2192 int\nhttps://elixir.bootlin.com/glibc/glibc-2.32/source/malloc/malloc.c#L341
"},{"location":"api/gef/#class-gotbasefunction","title":"classGotBaseFunction","text":"Return the current GOT base address plus the given offset.
"},{"location":"api/gef/#function-gotbasefunction__init__","title":"functionGotBaseFunction.__init__","text":"__init__() \u2192 None\nGotBaseFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nGotBaseFunction.do_invoke","text":"do_invoke(args: List) \u2192 int\nGotBaseFunction.invoke","text":"invoke(*args: Any) \u2192 int\nGotCommand","text":"Display current status of the got inside the process.
"},{"location":"api/gef/#function-gotcommand__init__","title":"functionGotCommand.__init__","text":"__init__()\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-gotcommandadd_setting","title":"functionGotCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
GotCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
GotCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nGotCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
GotCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
GotCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nGotCommand.post_load","text":"post_load() \u2192 None\nGotCommand.pre_load","text":"pre_load() \u2192 None\nGotCommand.usage","text":"usage() \u2192 None\nHeapAnalysisCommand","text":"Heap vulnerability analysis helper: this command aims to track dynamic heap allocation done through malloc()/free() to provide some insights on possible heap vulnerabilities. The following vulnerabilities are checked: - NULL free - Use-after-Free - Double Free - Heap overlap
"},{"location":"api/gef/#function-heapanalysiscommand__init__","title":"functionHeapAnalysisCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-heapanalysiscommandadd_setting","title":"functionHeapAnalysisCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HeapAnalysisCommand.clean","text":"clean(_: 'gdb.Event') \u2192 None\nHeapAnalysisCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HeapAnalysisCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nHeapAnalysisCommand.dump_tracked_allocations","text":"dump_tracked_allocations() \u2192 None\nHeapAnalysisCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HeapAnalysisCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HeapAnalysisCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHeapAnalysisCommand.post_load","text":"post_load() \u2192 None\nHeapAnalysisCommand.pre_load","text":"pre_load() \u2192 None\nHeapAnalysisCommand.setup","text":"setup() \u2192 None\nHeapAnalysisCommand.usage","text":"usage() \u2192 None\nHeapBaseFunction","text":"Return the current heap base address plus an optional offset.
"},{"location":"api/gef/#function-heapbasefunction__init__","title":"functionHeapBaseFunction.__init__","text":"__init__() \u2192 None\nHeapBaseFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nHeapBaseFunction.do_invoke","text":"do_invoke(args: List) \u2192 int\nHeapBaseFunction.invoke","text":"invoke(*args: Any) \u2192 int\nHexdumpByteCommand","text":"Display SIZE lines of hexdump as BYTE from the memory location pointed by ADDRESS.
"},{"location":"api/gef/#function-hexdumpbytecommand__init__","title":"functionHexdumpByteCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-hexdumpbytecommandadd_setting","title":"functionHexdumpByteCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HexdumpByteCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HexdumpByteCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nHexdumpByteCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HexdumpByteCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HexdumpByteCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHexdumpByteCommand.post_load","text":"post_load() \u2192 None\nHexdumpByteCommand.pre_load","text":"pre_load() \u2192 None\nHexdumpByteCommand.usage","text":"usage() \u2192 None\nHexdumpCommand","text":"Display SIZE lines of hexdump from the memory location pointed by LOCATION.
"},{"location":"api/gef/#function-hexdumpcommand__init__","title":"functionHexdumpCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-hexdumpcommandadd_setting","title":"functionHexdumpCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HexdumpCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HexdumpCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nHexdumpCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HexdumpCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HexdumpCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHexdumpCommand.post_load","text":"post_load() \u2192 None\nHexdumpCommand.pre_load","text":"pre_load() \u2192 None\nHexdumpCommand.usage","text":"usage() \u2192 None\nHexdumpDwordCommand","text":"Display SIZE lines of hexdump as DWORD from the memory location pointed by ADDRESS.
"},{"location":"api/gef/#function-hexdumpdwordcommand__init__","title":"functionHexdumpDwordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-hexdumpdwordcommandadd_setting","title":"functionHexdumpDwordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HexdumpDwordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HexdumpDwordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nHexdumpDwordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HexdumpDwordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HexdumpDwordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHexdumpDwordCommand.post_load","text":"post_load() \u2192 None\nHexdumpDwordCommand.pre_load","text":"pre_load() \u2192 None\nHexdumpDwordCommand.usage","text":"usage() \u2192 None\nHexdumpQwordCommand","text":"Display SIZE lines of hexdump as QWORD from the memory location pointed by ADDRESS.
"},{"location":"api/gef/#function-hexdumpqwordcommand__init__","title":"functionHexdumpQwordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-hexdumpqwordcommandadd_setting","title":"functionHexdumpQwordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HexdumpQwordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HexdumpQwordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nHexdumpQwordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HexdumpQwordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HexdumpQwordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHexdumpQwordCommand.post_load","text":"post_load() \u2192 None\nHexdumpQwordCommand.pre_load","text":"pre_load() \u2192 None\nHexdumpQwordCommand.usage","text":"usage() \u2192 None\nHexdumpWordCommand","text":"Display SIZE lines of hexdump as WORD from the memory location pointed by ADDRESS.
"},{"location":"api/gef/#function-hexdumpwordcommand__init__","title":"functionHexdumpWordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-hexdumpwordcommandadd_setting","title":"functionHexdumpWordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HexdumpWordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HexdumpWordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nHexdumpWordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HexdumpWordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HexdumpWordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHexdumpWordCommand.post_load","text":"post_load() \u2192 None\nHexdumpWordCommand.pre_load","text":"pre_load() \u2192 None\nHexdumpWordCommand.usage","text":"usage() \u2192 None\nHighlightAddCommand","text":"Add a match to the highlight table.
"},{"location":"api/gef/#function-highlightaddcommand__init__","title":"functionHighlightAddCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-highlightaddcommandadd_setting","title":"functionHighlightAddCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HighlightAddCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HighlightAddCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nHighlightAddCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HighlightAddCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HighlightAddCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHighlightAddCommand.post_load","text":"post_load() \u2192 None\nHighlightAddCommand.pre_load","text":"pre_load() \u2192 None\nHighlightAddCommand.usage","text":"usage() \u2192 None\nHighlightClearCommand","text":"Clear the highlight table, remove all matches.
"},{"location":"api/gef/#function-highlightclearcommand__init__","title":"functionHighlightClearCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-highlightclearcommandadd_setting","title":"functionHighlightClearCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HighlightClearCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HighlightClearCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nHighlightClearCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HighlightClearCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HighlightClearCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHighlightClearCommand.post_load","text":"post_load() \u2192 None\nHighlightClearCommand.pre_load","text":"pre_load() \u2192 None\nHighlightClearCommand.usage","text":"usage() \u2192 None\nHighlightCommand","text":"Highlight user-defined text matches in GEF output universally.
"},{"location":"api/gef/#function-highlightcommand__init__","title":"functionHighlightCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-highlightcommandadd_setting","title":"functionHighlightCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HighlightCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HighlightCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nHighlightCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HighlightCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HighlightCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHighlightCommand.post_load","text":"post_load() \u2192 None\nHighlightCommand.pre_load","text":"pre_load() \u2192 None\nHighlightCommand.usage","text":"usage() \u2192 None\nHighlightListCommand","text":"Show the current highlight table with matches to colors.
"},{"location":"api/gef/#function-highlightlistcommand__init__","title":"functionHighlightListCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-highlightlistcommandadd_setting","title":"functionHighlightListCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HighlightListCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HighlightListCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nHighlightListCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HighlightListCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HighlightListCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHighlightListCommand.post_load","text":"post_load() \u2192 None\nHighlightListCommand.pre_load","text":"pre_load() \u2192 None\nHighlightListCommand.print_highlight_table","text":"print_highlight_table() \u2192 None\nHighlightListCommand.usage","text":"usage() \u2192 None\nHighlightRemoveCommand","text":"Remove a match in the highlight table.
"},{"location":"api/gef/#function-highlightremovecommand__init__","title":"functionHighlightRemoveCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-highlightremovecommandadd_setting","title":"functionHighlightRemoveCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
HighlightRemoveCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
HighlightRemoveCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nHighlightRemoveCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
HighlightRemoveCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
HighlightRemoveCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nHighlightRemoveCommand.post_load","text":"post_load() \u2192 None\nHighlightRemoveCommand.pre_load","text":"pre_load() \u2192 None\nHighlightRemoveCommand.usage","text":"usage() \u2192 None\nInstruction","text":"GEF representation of a CPU instruction.
"},{"location":"api/gef/#function-instruction__init__","title":"functionInstruction.__init__","text":"__init__(\n address: int,\n location: str,\n mnemo: str,\n operands: List[str],\n opcodes: bytes\n) \u2192 None\nInstruction.is_valid","text":"is_valid() \u2192 bool\nInstruction.next","text":"next() \u2192 Instruction\nInstruction.size","text":"size() \u2192 int\nMIPS","text":""},{"location":"api/gef/#property-mipsendianness","title":"property MIPS.endianness","text":""},{"location":"api/gef/#property-mipsfp","title":"property MIPS.fp","text":""},{"location":"api/gef/#property-mipspc","title":"property MIPS.pc","text":""},{"location":"api/gef/#property-mipsptrsize","title":"property MIPS.ptrsize","text":""},{"location":"api/gef/#property-mipsregisters","title":"property MIPS.registers","text":""},{"location":"api/gef/#property-mipssp","title":"property MIPS.sp","text":""},{"location":"api/gef/#function-mipscanary_address","title":"function MIPS.canary_address","text":"canary_address() \u2192 int\nMIPS.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nMIPS.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-mipsget_ra","title":"functionMIPS.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nMIPS.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nMIPS.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nMIPS.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nMIPS.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nMIPS.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nMIPS.register","text":"register(name: str) \u2192 int\nMIPS.reset_caches","text":"reset_caches() \u2192 None\nMIPS.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
MIPS64","text":""},{"location":"api/gef/#property-mips64endianness","title":"property MIPS64.endianness","text":""},{"location":"api/gef/#property-mips64fp","title":"property MIPS64.fp","text":""},{"location":"api/gef/#property-mips64pc","title":"property MIPS64.pc","text":""},{"location":"api/gef/#property-mips64ptrsize","title":"property MIPS64.ptrsize","text":""},{"location":"api/gef/#property-mips64registers","title":"property MIPS64.registers","text":""},{"location":"api/gef/#property-mips64sp","title":"property MIPS64.sp","text":""},{"location":"api/gef/#function-mips64canary_address","title":"function MIPS64.canary_address","text":"canary_address() \u2192 int\nMIPS64.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nMIPS64.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-mips64get_ra","title":"functionMIPS64.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nMIPS64.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nMIPS64.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nMIPS64.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nMIPS64.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nMIPS64.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nMIPS64.register","text":"register(name: str) \u2192 int\nMIPS64.reset_caches","text":"reset_caches() \u2192 None\nMIPS64.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nMemoryCommand","text":"Add or remove address ranges to the memory view.
"},{"location":"api/gef/#function-memorycommand__init__","title":"functionMemoryCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-memorycommandadd_setting","title":"functionMemoryCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
MemoryCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
MemoryCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nMemoryCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
MemoryCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
MemoryCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nMemoryCommand.post_load","text":"post_load() \u2192 None\nMemoryCommand.pre_load","text":"pre_load() \u2192 None\nMemoryCommand.usage","text":"usage() \u2192 None\nMemoryUnwatchCommand","text":"Removes address ranges to the memory view.
"},{"location":"api/gef/#function-memoryunwatchcommand__init__","title":"functionMemoryUnwatchCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-memoryunwatchcommandadd_setting","title":"functionMemoryUnwatchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
MemoryUnwatchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
MemoryUnwatchCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nMemoryUnwatchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
MemoryUnwatchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
MemoryUnwatchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nMemoryUnwatchCommand.post_load","text":"post_load() \u2192 None\nMemoryUnwatchCommand.pre_load","text":"pre_load() \u2192 None\nMemoryUnwatchCommand.usage","text":"usage() \u2192 None\nMemoryWatchCommand","text":"Adds address ranges to the memory view.
"},{"location":"api/gef/#function-memorywatchcommand__init__","title":"functionMemoryWatchCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-memorywatchcommandadd_setting","title":"functionMemoryWatchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
MemoryWatchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
MemoryWatchCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nMemoryWatchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
MemoryWatchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
MemoryWatchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nMemoryWatchCommand.post_load","text":"post_load() \u2192 None\nMemoryWatchCommand.pre_load","text":"pre_load() \u2192 None\nMemoryWatchCommand.usage","text":"usage() \u2192 None\nMemoryWatchListCommand","text":"Lists all watchpoints to display in context layout.
"},{"location":"api/gef/#function-memorywatchlistcommand__init__","title":"functionMemoryWatchListCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-memorywatchlistcommandadd_setting","title":"functionMemoryWatchListCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
MemoryWatchListCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
MemoryWatchListCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nMemoryWatchListCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
MemoryWatchListCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
MemoryWatchListCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nMemoryWatchListCommand.post_load","text":"post_load() \u2192 None\nMemoryWatchListCommand.pre_load","text":"pre_load() \u2192 None\nMemoryWatchListCommand.usage","text":"usage() \u2192 None\nMemoryWatchResetCommand","text":"Removes all watchpoints.
"},{"location":"api/gef/#function-memorywatchresetcommand__init__","title":"functionMemoryWatchResetCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-memorywatchresetcommandadd_setting","title":"functionMemoryWatchResetCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
MemoryWatchResetCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
MemoryWatchResetCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nMemoryWatchResetCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
MemoryWatchResetCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
MemoryWatchResetCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nMemoryWatchResetCommand.post_load","text":"post_load() \u2192 None\nMemoryWatchResetCommand.pre_load","text":"pre_load() \u2192 None\nMemoryWatchResetCommand.usage","text":"usage() \u2192 None\nNamedBreakpoint","text":"Breakpoint which shows a specified name, when hit.
"},{"location":"api/gef/#function-namedbreakpoint__init__","title":"functionNamedBreakpoint.__init__","text":"__init__(location: str, name: str) \u2192 None\nNamedBreakpoint.stop","text":"stop() \u2192 bool\nNamedBreakpointCommand","text":"Sets a breakpoint and assigns a name to it, which will be shown, when it's hit.
"},{"location":"api/gef/#function-namedbreakpointcommand__init__","title":"functionNamedBreakpointCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-namedbreakpointcommandadd_setting","title":"functionNamedBreakpointCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
NamedBreakpointCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
NamedBreakpointCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nNamedBreakpointCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
NamedBreakpointCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
NamedBreakpointCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nNamedBreakpointCommand.post_load","text":"post_load() \u2192 None\nNamedBreakpointCommand.pre_load","text":"pre_load() \u2192 None\nNamedBreakpointCommand.usage","text":"usage() \u2192 None\nNopCommand","text":"Patch the instruction(s) pointed by parameters with NOP. Note: this command is architecture aware.
"},{"location":"api/gef/#function-nopcommand__init__","title":"functionNopCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-nopcommandadd_setting","title":"functionNopCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
NopCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
NopCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nNopCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
NopCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
NopCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nNopCommand.post_load","text":"post_load() \u2192 None\nNopCommand.pre_load","text":"pre_load() \u2192 None\nNopCommand.usage","text":"usage() \u2192 None\nPCustomCommand","text":"Dump user defined structure. This command attempts to reproduce WinDBG awesome dt command for GDB and allows to apply structures (from symbols or custom) directly to an address. Custom structures can be defined in pure Python using ctypes, and should be stored in a specific directory, whose path must be stored in the pcustom.struct_path configuration setting.
PCustomCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pcustomcommandadd_setting","title":"functionPCustomCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PCustomCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PCustomCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPCustomCommand.explode_type","text":"explode_type(arg: str) \u2192 Tuple[str, str]\nPCustomCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PCustomCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PCustomCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPCustomCommand.post_load","text":"post_load() \u2192 None\nPCustomCommand.pre_load","text":"pre_load() \u2192 None\nPCustomCommand.usage","text":"usage() \u2192 None\nPCustomEditCommand","text":"PCustom: edit the content of a given structure
"},{"location":"api/gef/#function-pcustomeditcommand__init__","title":"functionPCustomEditCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pcustomeditcommandadd_setting","title":"functionPCustomEditCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PCustomEditCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PCustomEditCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPCustomEditCommand.explode_type","text":"explode_type(arg: str) \u2192 Tuple[str, str]\nPCustomEditCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PCustomEditCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PCustomEditCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPCustomEditCommand.post_load","text":"post_load() \u2192 None\nPCustomEditCommand.pre_load","text":"pre_load() \u2192 None\nPCustomEditCommand.usage","text":"usage() \u2192 None\nPCustomListCommand","text":"PCustom: list available structures
"},{"location":"api/gef/#function-pcustomlistcommand__init__","title":"functionPCustomListCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pcustomlistcommandadd_setting","title":"functionPCustomListCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PCustomListCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PCustomListCommand.do_invoke","text":"do_invoke(_: List) \u2192 None\nDump the list of all the structures and their respective.
"},{"location":"api/gef/#function-pcustomlistcommandexplode_type","title":"functionPCustomListCommand.explode_type","text":"explode_type(arg: str) \u2192 Tuple[str, str]\nPCustomListCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PCustomListCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PCustomListCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPCustomListCommand.post_load","text":"post_load() \u2192 None\nPCustomListCommand.pre_load","text":"pre_load() \u2192 None\nPCustomListCommand.usage","text":"usage() \u2192 None\nPCustomShowCommand","text":"PCustom: show the content of a given structure
"},{"location":"api/gef/#function-pcustomshowcommand__init__","title":"functionPCustomShowCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pcustomshowcommandadd_setting","title":"functionPCustomShowCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PCustomShowCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PCustomShowCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPCustomShowCommand.explode_type","text":"explode_type(arg: str) \u2192 Tuple[str, str]\nPCustomShowCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PCustomShowCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PCustomShowCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPCustomShowCommand.post_load","text":"post_load() \u2192 None\nPCustomShowCommand.pre_load","text":"pre_load() \u2192 None\nPCustomShowCommand.usage","text":"usage() \u2192 None\nPatchByteCommand","text":"Write specified BYTE to the specified address.
"},{"location":"api/gef/#function-patchbytecommand__init__","title":"functionPatchByteCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchbytecommandadd_setting","title":"functionPatchByteCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchByteCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchByteCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatchByteCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchByteCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchByteCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchByteCommand.post_load","text":"post_load() \u2192 None\nPatchByteCommand.pre_load","text":"pre_load() \u2192 None\nPatchByteCommand.usage","text":"usage() \u2192 None\nPatchCommand","text":"Write specified values to the specified address.
"},{"location":"api/gef/#function-patchcommand__init__","title":"functionPatchCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchcommandadd_setting","title":"functionPatchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchCommand.post_load","text":"post_load() \u2192 None\nPatchCommand.pre_load","text":"pre_load() \u2192 None\nPatchCommand.usage","text":"usage() \u2192 None\nPatchDwordCommand","text":"Write specified DWORD to the specified address.
"},{"location":"api/gef/#function-patchdwordcommand__init__","title":"functionPatchDwordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchdwordcommandadd_setting","title":"functionPatchDwordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchDwordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchDwordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatchDwordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchDwordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchDwordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchDwordCommand.post_load","text":"post_load() \u2192 None\nPatchDwordCommand.pre_load","text":"pre_load() \u2192 None\nPatchDwordCommand.usage","text":"usage() \u2192 None\nPatchQwordCommand","text":"Write specified QWORD to the specified address.
"},{"location":"api/gef/#function-patchqwordcommand__init__","title":"functionPatchQwordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchqwordcommandadd_setting","title":"functionPatchQwordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchQwordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchQwordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatchQwordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchQwordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchQwordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchQwordCommand.post_load","text":"post_load() \u2192 None\nPatchQwordCommand.pre_load","text":"pre_load() \u2192 None\nPatchQwordCommand.usage","text":"usage() \u2192 None\nPatchStringCommand","text":"Write specified string to the specified memory location pointed by ADDRESS.
"},{"location":"api/gef/#function-patchstringcommand__init__","title":"functionPatchStringCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchstringcommandadd_setting","title":"functionPatchStringCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchStringCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchStringCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPatchStringCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchStringCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchStringCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchStringCommand.post_load","text":"post_load() \u2192 None\nPatchStringCommand.pre_load","text":"pre_load() \u2192 None\nPatchStringCommand.usage","text":"usage() \u2192 None\nPatchWordCommand","text":"Write specified WORD to the specified address.
"},{"location":"api/gef/#function-patchwordcommand__init__","title":"functionPatchWordCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patchwordcommandadd_setting","title":"functionPatchWordCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatchWordCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatchWordCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatchWordCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatchWordCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatchWordCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatchWordCommand.post_load","text":"post_load() \u2192 None\nPatchWordCommand.pre_load","text":"pre_load() \u2192 None\nPatchWordCommand.usage","text":"usage() \u2192 None\nPatternCommand","text":"Generate or Search a De Bruijn Sequence of unique substrings of length N and a total length of LENGTH. The default value of N is set to match the currently loaded architecture.
"},{"location":"api/gef/#function-patterncommand__init__","title":"functionPatternCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patterncommandadd_setting","title":"functionPatternCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatternCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatternCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nPatternCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatternCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatternCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatternCommand.post_load","text":"post_load() \u2192 None\nPatternCommand.pre_load","text":"pre_load() \u2192 None\nPatternCommand.usage","text":"usage() \u2192 None\nPatternCreateCommand","text":"Generate a De Bruijn Sequence of unique substrings of length N and a total length of LENGTH. The default value of N is set to match the currently loaded architecture.
"},{"location":"api/gef/#function-patterncreatecommand__init__","title":"functionPatternCreateCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patterncreatecommandadd_setting","title":"functionPatternCreateCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatternCreateCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatternCreateCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatternCreateCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatternCreateCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatternCreateCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatternCreateCommand.post_load","text":"post_load() \u2192 None\nPatternCreateCommand.pre_load","text":"pre_load() \u2192 None\nPatternCreateCommand.usage","text":"usage() \u2192 None\nPatternSearchCommand","text":"Search a De Bruijn Sequence of unique substrings of length N and a maximum total length of MAX_LENGTH. The default value of N is set to match the currently loaded architecture. The PATTERN argument can be a GDB symbol (such as a register name), a string or a hexadecimal value
"},{"location":"api/gef/#function-patternsearchcommand__init__","title":"functionPatternSearchCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-patternsearchcommandadd_setting","title":"functionPatternSearchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PatternSearchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PatternSearchCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPatternSearchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PatternSearchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PatternSearchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPatternSearchCommand.post_load","text":"post_load() \u2192 None\nPatternSearchCommand.pre_load","text":"pre_load() \u2192 None\nPatternSearchCommand.search","text":"search(pattern: str, size: int, period: int) \u2192 None\nPatternSearchCommand.usage","text":"usage() \u2192 None\nPermission","text":"GEF representation of Linux permission.
"},{"location":"api/gef/#class-phdr","title":"classPhdr","text":""},{"location":"api/gef/#function-phdr__init__","title":"function Phdr.__init__","text":"__init__(elf: __main__.Elf, off: int) \u2192 None\nPieAttachCommand","text":"Do attach with PIE breakpoint support.
"},{"location":"api/gef/#function-pieattachcommand__init__","title":"functionPieAttachCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pieattachcommandadd_setting","title":"functionPieAttachCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieAttachCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieAttachCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPieAttachCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieAttachCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieAttachCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieAttachCommand.post_load","text":"post_load() \u2192 None\nPieAttachCommand.pre_load","text":"pre_load() \u2192 None\nPieAttachCommand.usage","text":"usage() \u2192 None\nPieBreakpointCommand","text":"Set a PIE breakpoint at an offset from the target binaries base address.
"},{"location":"api/gef/#function-piebreakpointcommand__init__","title":"functionPieBreakpointCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-piebreakpointcommandadd_setting","title":"functionPieBreakpointCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieBreakpointCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieBreakpointCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPieBreakpointCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieBreakpointCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieBreakpointCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieBreakpointCommand.post_load","text":"post_load() \u2192 None\nPieBreakpointCommand.pre_load","text":"pre_load() \u2192 None\nPieBreakpointCommand.set_pie_breakpoint","text":"set_pie_breakpoint(set_func: Callable[[int], str], addr: int) \u2192 None\nPieBreakpointCommand.usage","text":"usage() \u2192 None\nPieCommand","text":"PIE breakpoint support.
"},{"location":"api/gef/#function-piecommand__init__","title":"functionPieCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-piecommandadd_setting","title":"functionPieCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPieCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieCommand.post_load","text":"post_load() \u2192 None\nPieCommand.pre_load","text":"pre_load() \u2192 None\nPieCommand.usage","text":"usage() \u2192 None\nPieDeleteCommand","text":"Delete a PIE breakpoint.
"},{"location":"api/gef/#function-piedeletecommand__init__","title":"functionPieDeleteCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-piedeletecommandadd_setting","title":"functionPieDeleteCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieDeleteCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieDeleteCommand.delete_bp","text":"delete_bp(breakpoints: List[__main__.PieVirtualBreakpoint]) \u2192 None\nPieDeleteCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPieDeleteCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieDeleteCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieDeleteCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieDeleteCommand.post_load","text":"post_load() \u2192 None\nPieDeleteCommand.pre_load","text":"pre_load() \u2192 None\nPieDeleteCommand.usage","text":"usage() \u2192 None\nPieInfoCommand","text":"Display breakpoint info.
"},{"location":"api/gef/#function-pieinfocommand__init__","title":"functionPieInfoCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pieinfocommandadd_setting","title":"functionPieInfoCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieInfoCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieInfoCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPieInfoCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieInfoCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieInfoCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieInfoCommand.post_load","text":"post_load() \u2192 None\nPieInfoCommand.pre_load","text":"pre_load() \u2192 None\nPieInfoCommand.usage","text":"usage() \u2192 None\nPieRemoteCommand","text":"Attach to a remote connection with PIE breakpoint support.
"},{"location":"api/gef/#function-pieremotecommand__init__","title":"functionPieRemoteCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pieremotecommandadd_setting","title":"functionPieRemoteCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieRemoteCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieRemoteCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPieRemoteCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieRemoteCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieRemoteCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieRemoteCommand.post_load","text":"post_load() \u2192 None\nPieRemoteCommand.pre_load","text":"pre_load() \u2192 None\nPieRemoteCommand.usage","text":"usage() \u2192 None\nPieRunCommand","text":"Run process with PIE breakpoint support.
"},{"location":"api/gef/#function-pieruncommand__init__","title":"functionPieRunCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-pieruncommandadd_setting","title":"functionPieRunCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PieRunCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PieRunCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nPieRunCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PieRunCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PieRunCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPieRunCommand.post_load","text":"post_load() \u2192 None\nPieRunCommand.pre_load","text":"pre_load() \u2192 None\nPieRunCommand.usage","text":"usage() \u2192 None\nPieVirtualBreakpoint","text":"PIE virtual breakpoint (not real breakpoint).
"},{"location":"api/gef/#function-pievirtualbreakpoint__init__","title":"functionPieVirtualBreakpoint.__init__","text":"__init__(set_func: Callable[[int], str], vbp_num: int, addr: int) \u2192 None\nPieVirtualBreakpoint.destroy","text":"destroy() \u2192 None\nPieVirtualBreakpoint.instantiate","text":"instantiate(base: int) \u2192 None\nPowerPC","text":""},{"location":"api/gef/#property-powerpcendianness","title":"property PowerPC.endianness","text":""},{"location":"api/gef/#property-powerpcfp","title":"property PowerPC.fp","text":""},{"location":"api/gef/#property-powerpcpc","title":"property PowerPC.pc","text":""},{"location":"api/gef/#property-powerpcregisters","title":"property PowerPC.registers","text":""},{"location":"api/gef/#property-powerpcsp","title":"property PowerPC.sp","text":""},{"location":"api/gef/#function-powerpccanary_address","title":"function PowerPC.canary_address","text":"canary_address() \u2192 int\nPowerPC.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nPowerPC.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-powerpcget_ra","title":"functionPowerPC.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nPowerPC.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nPowerPC.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nPowerPC.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nPowerPC.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nPowerPC.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nPowerPC.register","text":"register(name: str) \u2192 int\nPowerPC.reset_caches","text":"reset_caches() \u2192 None\nPowerPC.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
PowerPC64","text":""},{"location":"api/gef/#property-powerpc64endianness","title":"property PowerPC64.endianness","text":""},{"location":"api/gef/#property-powerpc64fp","title":"property PowerPC64.fp","text":""},{"location":"api/gef/#property-powerpc64pc","title":"property PowerPC64.pc","text":""},{"location":"api/gef/#property-powerpc64registers","title":"property PowerPC64.registers","text":""},{"location":"api/gef/#property-powerpc64sp","title":"property PowerPC64.sp","text":""},{"location":"api/gef/#function-powerpc64canary_address","title":"function PowerPC64.canary_address","text":"canary_address() \u2192 int\nPowerPC64.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nPowerPC64.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-powerpc64get_ra","title":"functionPowerPC64.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nPowerPC64.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nPowerPC64.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nPowerPC64.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nPowerPC64.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nPowerPC64.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nPowerPC64.register","text":"register(name: str) \u2192 int\nPowerPC64.reset_caches","text":"reset_caches() \u2192 None\nPowerPC64.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
PrintFormatCommand","text":"Print bytes format in commonly used formats, such as literals in high level languages.
"},{"location":"api/gef/#function-printformatcommand__init__","title":"functionPrintFormatCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-printformatcommandadd_setting","title":"functionPrintFormatCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
PrintFormatCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
PrintFormatCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nPrintFormatCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
PrintFormatCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
PrintFormatCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nPrintFormatCommand.post_load","text":"post_load() \u2192 None\nPrintFormatCommand.pre_load","text":"pre_load() \u2192 None\nPrintFormatCommand.usage","text":"usage() \u2192 None\nProcessListingCommand","text":"List and filter process. If a PATTERN is given as argument, results shown will be grepped by this pattern.
"},{"location":"api/gef/#function-processlistingcommand__init__","title":"functionProcessListingCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-processlistingcommandadd_setting","title":"functionProcessListingCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ProcessListingCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ProcessListingCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nProcessListingCommand.get_processes","text":"get_processes() \u2192 Generator[Dict[str, str], NoneType, NoneType]\nProcessListingCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ProcessListingCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ProcessListingCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nProcessListingCommand.post_load","text":"post_load() \u2192 None\nProcessListingCommand.pre_load","text":"pre_load() \u2192 None\nProcessListingCommand.usage","text":"usage() \u2192 None\nProcessStatusCommand","text":"Extends the info given by GDB info proc, by giving an exhaustive description of the process status (file descriptors, ancestor, descendants, etc.).
ProcessStatusCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-processstatuscommandadd_setting","title":"functionProcessStatusCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ProcessStatusCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ProcessStatusCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nProcessStatusCommand.get_children_pids","text":"get_children_pids(pid: int) \u2192 List[int]\nProcessStatusCommand.get_cmdline_of","text":"get_cmdline_of(pid: int) \u2192 str\nProcessStatusCommand.get_process_path_of","text":"get_process_path_of(pid: int) \u2192 str\nProcessStatusCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ProcessStatusCommand.get_state_of","text":"get_state_of(pid: int) \u2192 Dict[str, str]\nProcessStatusCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ProcessStatusCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nProcessStatusCommand.list_sockets","text":"list_sockets(pid: int) \u2192 List[int]\nProcessStatusCommand.parse_ip_port","text":"parse_ip_port(addr: str) \u2192 Tuple[str, int]\nProcessStatusCommand.post_load","text":"post_load() \u2192 None\nProcessStatusCommand.pre_load","text":"pre_load() \u2192 None\nProcessStatusCommand.show_ancestor","text":"show_ancestor() \u2192 None\nProcessStatusCommand.show_connections","text":"show_connections() \u2192 None\nProcessStatusCommand.show_descendants","text":"show_descendants() \u2192 None\nProcessStatusCommand.show_fds","text":"show_fds() \u2192 None\nProcessStatusCommand.show_info_proc","text":"show_info_proc() \u2192 None\nProcessStatusCommand.usage","text":"usage() \u2192 None\nRISCV","text":""},{"location":"api/gef/#property-riscvendianness","title":"property RISCV.endianness","text":""},{"location":"api/gef/#property-riscvfp","title":"property RISCV.fp","text":""},{"location":"api/gef/#property-riscvinstruction_length","title":"property RISCV.instruction_length","text":""},{"location":"api/gef/#property-riscvpc","title":"property RISCV.pc","text":""},{"location":"api/gef/#property-riscvptrsize","title":"property RISCV.ptrsize","text":""},{"location":"api/gef/#property-riscvregisters","title":"property RISCV.registers","text":""},{"location":"api/gef/#property-riscvsp","title":"property RISCV.sp","text":""},{"location":"api/gef/#function-riscvcanary_address","title":"function RISCV.canary_address","text":"canary_address() \u2192 int\nRISCV.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nRISCV.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-riscvget_ra","title":"functionRISCV.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nRISCV.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nRISCV.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nRISCV.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nRISCV.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nRISCV.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nRISCV.register","text":"register(name: str) \u2192 int\nRISCV.reset_caches","text":"reset_caches() \u2192 None\nRISCV.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
RedirectOutputContext","text":""},{"location":"api/gef/#function-redirectoutputcontext__init__","title":"function RedirectOutputContext.__init__","text":"__init__(to: str = '/dev/null') \u2192 None\nRemoteCommand","text":"GDB target remote command on steroids. This command will use the remote procfs to create a local copy of the execution environment, including the target binary and its libraries in the local temporary directory (the value by default is in gef.config.tempdir). Additionally, it will fetch all the /proc/PID/maps and loads all its information. If procfs is not available remotely, the command will likely fail. You can however still use the limited command provided by GDB target remote.
RemoteCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-remotecommandadd_setting","title":"functionRemoteCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
RemoteCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
RemoteCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nRemoteCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
RemoteCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
RemoteCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nRemoteCommand.post_load","text":"post_load() \u2192 None\nRemoteCommand.pre_load","text":"pre_load() \u2192 None\nRemoteCommand.usage","text":"usage() \u2192 None\nResetCacheCommand","text":"Reset cache of all stored data. This command is here for debugging and test purposes, GEF handles properly the cache reset under \"normal\" scenario.
"},{"location":"api/gef/#function-resetcachecommand__init__","title":"functionResetCacheCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-resetcachecommandadd_setting","title":"functionResetCacheCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ResetCacheCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ResetCacheCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nResetCacheCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ResetCacheCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ResetCacheCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nResetCacheCommand.post_load","text":"post_load() \u2192 None\nResetCacheCommand.pre_load","text":"pre_load() \u2192 None\nResetCacheCommand.usage","text":"usage() \u2192 None\nSPARC","text":"Refs: - https://www.cse.scu.edu/~atkinson/teaching/sp05/259/sparc.pdf
"},{"location":"api/gef/#property-sparcendianness","title":"property SPARC.endianness","text":""},{"location":"api/gef/#property-sparcfp","title":"property SPARC.fp","text":""},{"location":"api/gef/#property-sparcpc","title":"property SPARC.pc","text":""},{"location":"api/gef/#property-sparcptrsize","title":"property SPARC.ptrsize","text":""},{"location":"api/gef/#property-sparcregisters","title":"property SPARC.registers","text":""},{"location":"api/gef/#property-sparcsp","title":"property SPARC.sp","text":""},{"location":"api/gef/#function-sparccanary_address","title":"functionSPARC.canary_address","text":"canary_address() \u2192 int\nSPARC.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nSPARC.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-sparcget_ra","title":"functionSPARC.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nSPARC.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nSPARC.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nSPARC.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nSPARC.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nSPARC.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nSPARC.register","text":"register(name: str) \u2192 int\nSPARC.reset_caches","text":"reset_caches() \u2192 None\nSPARC.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
SPARC64","text":"Refs: - http://math-atlas.sourceforge.net/devel/assembly/abi_sysV_sparc.pdf - https://cr.yp.to/2005-590/sparcv9.pdf
"},{"location":"api/gef/#property-sparc64endianness","title":"property SPARC64.endianness","text":""},{"location":"api/gef/#property-sparc64fp","title":"property SPARC64.fp","text":""},{"location":"api/gef/#property-sparc64pc","title":"property SPARC64.pc","text":""},{"location":"api/gef/#property-sparc64ptrsize","title":"property SPARC64.ptrsize","text":""},{"location":"api/gef/#property-sparc64registers","title":"property SPARC64.registers","text":""},{"location":"api/gef/#property-sparc64sp","title":"property SPARC64.sp","text":""},{"location":"api/gef/#function-sparc64canary_address","title":"functionSPARC64.canary_address","text":"canary_address() \u2192 int\nSPARC64.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nSPARC64.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-sparc64get_ra","title":"functionSPARC64.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nSPARC64.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nSPARC64.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nSPARC64.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nSPARC64.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nSPARC64.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nSPARC64.register","text":"register(name: str) \u2192 int\nSPARC64.reset_caches","text":"reset_caches() \u2192 None\nSPARC64.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
ScanSectionCommand","text":"Search for addresses that are located in a memory mapping (haystack) that belonging to another (needle).
"},{"location":"api/gef/#function-scansectioncommand__init__","title":"functionScanSectionCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-scansectioncommandadd_setting","title":"functionScanSectionCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ScanSectionCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ScanSectionCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nScanSectionCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ScanSectionCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ScanSectionCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nScanSectionCommand.post_load","text":"post_load() \u2192 None\nScanSectionCommand.pre_load","text":"pre_load() \u2192 None\nScanSectionCommand.usage","text":"usage() \u2192 None\nSearchPatternCommand","text":"SearchPatternCommand: search a pattern in memory. If given an hex value (starting with 0x) the command will also try to look for upwards cross-references to this address.
"},{"location":"api/gef/#function-searchpatterncommand__init__","title":"functionSearchPatternCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-searchpatterncommandadd_setting","title":"functionSearchPatternCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
SearchPatternCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
SearchPatternCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nSearchPatternCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
SearchPatternCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
SearchPatternCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nSearchPatternCommand.post_load","text":"post_load() \u2192 None\nSearchPatternCommand.pre_load","text":"pre_load() \u2192 None\nSearchPatternCommand.print_loc","text":"print_loc(loc: Tuple[int, int, str]) \u2192 None\nSearchPatternCommand.print_section","text":"print_section(section: __main__.Section) \u2192 None\nSearchPatternCommand.search_binpattern_by_address","text":"search_binpattern_by_address(\n binpattern: bytes,\n start_address: int,\n end_address: int\n) \u2192 List[Tuple[int, int, Optional[str]]]\nSearch a binary pattern within a range defined by arguments.
"},{"location":"api/gef/#function-searchpatterncommandsearch_pattern","title":"functionSearchPatternCommand.search_pattern","text":"search_pattern(pattern: str, section_name: str) \u2192 None\nSearch a pattern within the whole userland memory.
"},{"location":"api/gef/#function-searchpatterncommandsearch_pattern_by_address","title":"functionSearchPatternCommand.search_pattern_by_address","text":"search_pattern_by_address(\n pattern: str,\n start_address: int,\n end_address: int\n) \u2192 List[Tuple[int, int, Optional[str]]]\nSearch a pattern within a range defined by arguments.
"},{"location":"api/gef/#function-searchpatterncommandusage","title":"functionSearchPatternCommand.usage","text":"usage() \u2192 None\nSection","text":"GEF representation of process memory sections.
"},{"location":"api/gef/#function-section__init__","title":"functionSection.__init__","text":"__init__(**kwargs: Any) \u2192 None\nSection.is_executable","text":"is_executable() \u2192 bool\nSection.is_readable","text":"is_readable() \u2192 bool\nSection.is_writable","text":"is_writable() \u2192 bool\nSectionBaseFunction","text":"Return the matching file's base address plus an optional offset. Defaults to current file. Note that quotes need to be escaped
"},{"location":"api/gef/#function-sectionbasefunction__init__","title":"functionSectionBaseFunction.__init__","text":"__init__() \u2192 None\nSectionBaseFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nSectionBaseFunction.do_invoke","text":"do_invoke(args: List) \u2192 int\nSectionBaseFunction.invoke","text":"invoke(*args: Any) \u2192 int\nShdr","text":""},{"location":"api/gef/#function-shdr__init__","title":"function Shdr.__init__","text":"__init__(elf: Optional[__main__.Elf], off: int) \u2192 None\nShellcodeCommand","text":"ShellcodeCommand uses @JonathanSalwan simple-yet-awesome shellcode API to download shellcodes.
"},{"location":"api/gef/#function-shellcodecommand__init__","title":"functionShellcodeCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-shellcodecommandadd_setting","title":"functionShellcodeCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ShellcodeCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ShellcodeCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nShellcodeCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ShellcodeCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ShellcodeCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nShellcodeCommand.post_load","text":"post_load() \u2192 None\nShellcodeCommand.pre_load","text":"pre_load() \u2192 None\nShellcodeCommand.usage","text":"usage() \u2192 None\nShellcodeGetCommand","text":"Download shellcode from shell-storm's shellcode database.
"},{"location":"api/gef/#function-shellcodegetcommand__init__","title":"functionShellcodeGetCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-shellcodegetcommandadd_setting","title":"functionShellcodeGetCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ShellcodeGetCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ShellcodeGetCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nShellcodeGetCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ShellcodeGetCommand.get_shellcode","text":"get_shellcode(sid: int) \u2192 None\nShellcodeGetCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ShellcodeGetCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nShellcodeGetCommand.post_load","text":"post_load() \u2192 None\nShellcodeGetCommand.pre_load","text":"pre_load() \u2192 None\nShellcodeGetCommand.usage","text":"usage() \u2192 None\nShellcodeSearchCommand","text":"Search pattern in shell-storm's shellcode database.
"},{"location":"api/gef/#function-shellcodesearchcommand__init__","title":"functionShellcodeSearchCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-shellcodesearchcommandadd_setting","title":"functionShellcodeSearchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
ShellcodeSearchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
ShellcodeSearchCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nShellcodeSearchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
ShellcodeSearchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
ShellcodeSearchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nShellcodeSearchCommand.post_load","text":"post_load() \u2192 None\nShellcodeSearchCommand.pre_load","text":"pre_load() \u2192 None\nShellcodeSearchCommand.search_shellcode","text":"search_shellcode(search_options: List) \u2192 None\nShellcodeSearchCommand.usage","text":"usage() \u2192 None\nSkipiCommand","text":"Skip N instruction(s) execution
"},{"location":"api/gef/#function-skipicommand__init__","title":"functionSkipiCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-skipicommandadd_setting","title":"functionSkipiCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
SkipiCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
SkipiCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nSkipiCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
SkipiCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
SkipiCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nSkipiCommand.post_load","text":"post_load() \u2192 None\nSkipiCommand.pre_load","text":"pre_load() \u2192 None\nSkipiCommand.usage","text":"usage() \u2192 None\nSmartEvalCommand","text":"SmartEval: Smart eval (vague approach to mimic WinDBG ?).
SmartEvalCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-smartevalcommandadd_setting","title":"functionSmartEvalCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
SmartEvalCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
SmartEvalCommand.distance","text":"distance(args: Tuple[str, str]) \u2192 None\nSmartEvalCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nSmartEvalCommand.evaluate","text":"evaluate(expr: List[str]) \u2192 None\nSmartEvalCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
SmartEvalCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
SmartEvalCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nSmartEvalCommand.post_load","text":"post_load() \u2192 None\nSmartEvalCommand.pre_load","text":"pre_load() \u2192 None\nSmartEvalCommand.usage","text":"usage() \u2192 None\nSolveKernelSymbolCommand","text":"Solve kernel symbols from kallsyms table.
"},{"location":"api/gef/#function-solvekernelsymbolcommand__init__","title":"functionSolveKernelSymbolCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-solvekernelsymbolcommandadd_setting","title":"functionSolveKernelSymbolCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
SolveKernelSymbolCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
SolveKernelSymbolCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nSolveKernelSymbolCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
SolveKernelSymbolCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
SolveKernelSymbolCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nSolveKernelSymbolCommand.post_load","text":"post_load() \u2192 None\nSolveKernelSymbolCommand.pre_load","text":"pre_load() \u2192 None\nSolveKernelSymbolCommand.usage","text":"usage() \u2192 None\nStackOffsetFunction","text":"Return the current stack base address plus an optional offset.
"},{"location":"api/gef/#function-stackoffsetfunction__init__","title":"functionStackOffsetFunction.__init__","text":"__init__() \u2192 None\nStackOffsetFunction.arg_to_long","text":"arg_to_long(args: List, index: int, default: int = 0) \u2192 int\nStackOffsetFunction.do_invoke","text":"do_invoke(args: List) \u2192 int\nStackOffsetFunction.invoke","text":"invoke(*args: Any) \u2192 int\nStubBreakpoint","text":"Create a breakpoint to permanently disable a call (fork/alarm/signal/etc.).
"},{"location":"api/gef/#function-stubbreakpoint__init__","title":"functionStubBreakpoint.__init__","text":"__init__(func: str, retval: Optional[int]) \u2192 None\nStubBreakpoint.stop","text":"stop() \u2192 bool\nStubCommand","text":"Stub out the specified function. This function is useful when needing to skip one function to be called and disrupt your runtime flow (ex. fork).
"},{"location":"api/gef/#function-stubcommand__init__","title":"functionStubCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-stubcommandadd_setting","title":"functionStubCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
StubCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
StubCommand.wrapper","text":"wrapper(*args: Any, **kwargs: Any) \u2192 Callable\nStubCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
StubCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
StubCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nStubCommand.post_load","text":"post_load() \u2192 None\nStubCommand.pre_load","text":"pre_load() \u2192 None\nStubCommand.usage","text":"usage() \u2192 None\nTraceFreeBreakpoint","text":"Track calls to free() and attempts to detect inconsistencies.
"},{"location":"api/gef/#function-tracefreebreakpoint__init__","title":"functionTraceFreeBreakpoint.__init__","text":"__init__() \u2192 None\nTraceFreeBreakpoint.stop","text":"stop() \u2192 bool\nTraceFreeRetBreakpoint","text":"Internal temporary breakpoint to track free()d values.
"},{"location":"api/gef/#function-tracefreeretbreakpoint__init__","title":"functionTraceFreeRetBreakpoint.__init__","text":"__init__(addr: int) \u2192 None\nTraceFreeRetBreakpoint.stop","text":"stop() \u2192 bool\nTraceMallocBreakpoint","text":"Track allocations done with malloc() or calloc().
"},{"location":"api/gef/#function-tracemallocbreakpoint__init__","title":"functionTraceMallocBreakpoint.__init__","text":"__init__(name: str) \u2192 None\nTraceMallocBreakpoint.stop","text":"stop() \u2192 bool\nTraceMallocRetBreakpoint","text":"Internal temporary breakpoint to retrieve the return value of malloc().
"},{"location":"api/gef/#function-tracemallocretbreakpoint__init__","title":"functionTraceMallocRetBreakpoint.__init__","text":"__init__(size: int, name: str) \u2192 None\nTraceMallocRetBreakpoint.stop","text":"stop() \u2192 bool\nTraceReallocBreakpoint","text":"Track re-allocations done with realloc().
"},{"location":"api/gef/#function-tracereallocbreakpoint__init__","title":"functionTraceReallocBreakpoint.__init__","text":"__init__() \u2192 None\nTraceReallocBreakpoint.stop","text":"stop() \u2192 bool\nTraceReallocRetBreakpoint","text":"Internal temporary breakpoint to retrieve the return value of realloc().
"},{"location":"api/gef/#function-tracereallocretbreakpoint__init__","title":"functionTraceReallocRetBreakpoint.__init__","text":"__init__(ptr: int, size: int) \u2192 None\nTraceReallocRetBreakpoint.stop","text":"stop() \u2192 bool\nTraceRunCommand","text":"Create a runtime trace of all instructions executed from $pc to LOCATION specified. The trace is stored in a text file that can be next imported in IDA Pro to visualize the runtime path.
"},{"location":"api/gef/#function-traceruncommand__init__","title":"functionTraceRunCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-traceruncommandadd_setting","title":"functionTraceRunCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
TraceRunCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
TraceRunCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nTraceRunCommand.get_frames_size","text":"get_frames_size() \u2192 int\nTraceRunCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
TraceRunCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
TraceRunCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nTraceRunCommand.post_load","text":"post_load() \u2192 None\nTraceRunCommand.pre_load","text":"pre_load() \u2192 None\nTraceRunCommand.start_tracing","text":"start_tracing(loc_start: int, loc_end: int, depth: int) \u2192 None\nTraceRunCommand.trace","text":"trace(loc_start: int, loc_end: int, depth: int) \u2192 None\nTraceRunCommand.usage","text":"usage() \u2192 None\nUafWatchpoint","text":"Custom watchpoints set TraceFreeBreakpoint() to monitor free()d pointers being used.
"},{"location":"api/gef/#function-uafwatchpoint__init__","title":"functionUafWatchpoint.__init__","text":"__init__(addr: int) \u2192 None\nUafWatchpoint.stop","text":"stop() \u2192 bool\nIf this method is triggered, we likely have a UaF. Break the execution and report it.
"},{"location":"api/gef/#class-vmmapcommand","title":"classVMMapCommand","text":"Display a comprehensive layout of the virtual memory mapping. If a filter argument, GEF will filter out the mapping whose pathname do not match that filter.
"},{"location":"api/gef/#function-vmmapcommand__init__","title":"functionVMMapCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-vmmapcommandadd_setting","title":"functionVMMapCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
VMMapCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
VMMapCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nVMMapCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
VMMapCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
VMMapCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nVMMapCommand.is_integer","text":"is_integer(n: str) \u2192 bool\nVMMapCommand.post_load","text":"post_load() \u2192 None\nVMMapCommand.pre_load","text":"pre_load() \u2192 None\nVMMapCommand.print_entry","text":"print_entry(entry: __main__.Section) \u2192 None\nVMMapCommand.show_legend","text":"show_legend() \u2192 None\nVMMapCommand.usage","text":"usage() \u2192 None\nVersionCommand","text":"Display GEF version info.
"},{"location":"api/gef/#function-versioncommand__init__","title":"functionVersionCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-versioncommandadd_setting","title":"functionVersionCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
VersionCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
VersionCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nVersionCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
VersionCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
VersionCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nVersionCommand.post_load","text":"post_load() \u2192 None\nVersionCommand.pre_load","text":"pre_load() \u2192 None\nVersionCommand.usage","text":"usage() \u2192 None\nX86","text":""},{"location":"api/gef/#property-x86endianness","title":"property X86.endianness","text":""},{"location":"api/gef/#property-x86fp","title":"property X86.fp","text":""},{"location":"api/gef/#property-x86pc","title":"property X86.pc","text":""},{"location":"api/gef/#property-x86ptrsize","title":"property X86.ptrsize","text":""},{"location":"api/gef/#property-x86registers","title":"property X86.registers","text":""},{"location":"api/gef/#property-x86sp","title":"property X86.sp","text":""},{"location":"api/gef/#function-x86canary_address","title":"function X86.canary_address","text":"canary_address() \u2192 int\nX86.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nX86.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nX86.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nX86.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nX86.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nX86.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nX86.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nX86.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nX86.register","text":"register(name: str) \u2192 int\nX86.reset_caches","text":"reset_caches() \u2192 None\nX86.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
X86_64","text":""},{"location":"api/gef/#property-x86_64endianness","title":"property X86_64.endianness","text":""},{"location":"api/gef/#property-x86_64fp","title":"property X86_64.fp","text":""},{"location":"api/gef/#property-x86_64pc","title":"property X86_64.pc","text":""},{"location":"api/gef/#property-x86_64ptrsize","title":"property X86_64.ptrsize","text":""},{"location":"api/gef/#property-x86_64registers","title":"property X86_64.registers","text":""},{"location":"api/gef/#property-x86_64sp","title":"property X86_64.sp","text":""},{"location":"api/gef/#function-x86_64canary_address","title":"function X86_64.canary_address","text":"canary_address() \u2192 int\nX86_64.flag_register_to_human","text":"flag_register_to_human(val: Optional[int] = None) \u2192 str\nX86_64.get_ith_parameter","text":"get_ith_parameter(i: int, in_func: bool = True) \u2192 Tuple[str, Optional[int]]\nRetrieves the correct parameter used for the current function call.
"},{"location":"api/gef/#function-x86_64get_ra","title":"functionX86_64.get_ra","text":"get_ra(insn: __main__.Instruction, frame: 'gdb.Frame') \u2192 Optional[int]\nX86_64.is_branch_taken","text":"is_branch_taken(insn: __main__.Instruction) \u2192 Tuple[bool, str]\nX86_64.is_call","text":"is_call(insn: __main__.Instruction) \u2192 bool\nX86_64.is_conditional_branch","text":"is_conditional_branch(insn: __main__.Instruction) \u2192 bool\nX86_64.is_ret","text":"is_ret(insn: __main__.Instruction) \u2192 bool\nX86_64.mprotect_asm","text":"mprotect_asm(addr: int, size: int, perm: __main__.Permission) \u2192 str\nX86_64.register","text":"register(name: str) \u2192 int\nX86_64.reset_caches","text":"reset_caches() \u2192 None\nX86_64.supports_gdb_arch","text":"supports_gdb_arch(gdb_arch: str) \u2192 Optional[bool]\nIf implemented by a child Architecture, this function dictates if the current class supports the loaded ELF file (which can be accessed via gef.binary). This callback function will override any assumption made by GEF to determine the architecture.
XAddressInfoCommand","text":"Retrieve and display runtime information for the location(s) given as parameter.
"},{"location":"api/gef/#function-xaddressinfocommand__init__","title":"functionXAddressInfoCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-xaddressinfocommandadd_setting","title":"functionXAddressInfoCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
XAddressInfoCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
XAddressInfoCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nXAddressInfoCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
XAddressInfoCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
XAddressInfoCommand.infos","text":"infos(address: int) \u2192 None\nXAddressInfoCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nXAddressInfoCommand.post_load","text":"post_load() \u2192 None\nXAddressInfoCommand.pre_load","text":"pre_load() \u2192 None\nXAddressInfoCommand.usage","text":"usage() \u2192 None\nXFilesCommand","text":"Shows all libraries (and sections) loaded by binary. This command extends the GDB command info files, by retrieving more information from extra sources, and providing a better display. If an argument FILE is given, the output will grep information related to only that file. If an argument name is also given, the output will grep to the name within FILE.
XFilesCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-xfilescommandadd_setting","title":"functionXFilesCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
XFilesCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
XFilesCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nXFilesCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
XFilesCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
XFilesCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nXFilesCommand.post_load","text":"post_load() \u2192 None\nXFilesCommand.pre_load","text":"pre_load() \u2192 None\nXFilesCommand.usage","text":"usage() \u2192 None\nXorMemoryCommand","text":"XOR a block of memory. The command allows to simply display the result, or patch it runtime at runtime.
"},{"location":"api/gef/#function-xormemorycommand__init__","title":"functionXorMemoryCommand.__init__","text":"__init__() \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-xormemorycommandadd_setting","title":"functionXorMemoryCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
XorMemoryCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
XorMemoryCommand.do_invoke","text":"do_invoke(_: List[str]) \u2192 None\nXorMemoryCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
XorMemoryCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
XorMemoryCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nXorMemoryCommand.post_load","text":"post_load() \u2192 None\nXorMemoryCommand.pre_load","text":"pre_load() \u2192 None\nXorMemoryCommand.usage","text":"usage() \u2192 None\nXorMemoryDisplayCommand","text":"Display a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be provided in hexadecimal format.
"},{"location":"api/gef/#function-xormemorydisplaycommand__init__","title":"functionXorMemoryDisplayCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-xormemorydisplaycommandadd_setting","title":"functionXorMemoryDisplayCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
XorMemoryDisplayCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
XorMemoryDisplayCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nXorMemoryDisplayCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
XorMemoryDisplayCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
XorMemoryDisplayCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nXorMemoryDisplayCommand.post_load","text":"post_load() \u2192 None\nXorMemoryDisplayCommand.pre_load","text":"pre_load() \u2192 None\nXorMemoryDisplayCommand.usage","text":"usage() \u2192 None\nXorMemoryPatchCommand","text":"Patch a block of memory pointed by ADDRESS by xor-ing each byte with KEY. The key must be provided in hexadecimal format.
"},{"location":"api/gef/#function-xormemorypatchcommand__init__","title":"functionXorMemoryPatchCommand.__init__","text":"__init__(*args: Any, **kwargs: Any) \u2192 None\nReturn the list of settings for this command.
"},{"location":"api/gef/#function-xormemorypatchcommandadd_setting","title":"functionXorMemoryPatchCommand.add_setting","text":"add_setting(\n name: str,\n value: Tuple[Any, type, str],\n description: str = ''\n) \u2192 None\nadd_setting is DEPRECATED and will be removed in the future. Use self[setting_name] = value instead
XorMemoryPatchCommand.del_setting","text":"del_setting(name: str) \u2192 None\ndel_setting is DEPRECATED and will be removed in the future. Use del self[setting_name] instead
XorMemoryPatchCommand.do_invoke","text":"do_invoke(argv: List[str]) \u2192 None\nXorMemoryPatchCommand.get_setting","text":"get_setting(name: str) \u2192 Any\nget_setting is DEPRECATED and will be removed in the future. Use self[setting_name] instead
XorMemoryPatchCommand.has_setting","text":"has_setting(name: str) \u2192 bool\nhas_setting is DEPRECATED and will be removed in the future. Use setting_name in self instead
XorMemoryPatchCommand.invoke","text":"invoke(args: str, from_tty: bool) \u2192 None\nXorMemoryPatchCommand.post_load","text":"post_load() \u2192 None\nXorMemoryPatchCommand.pre_load","text":"pre_load() \u2192 None\nXorMemoryPatchCommand.usage","text":"usage() \u2192 None\nZone","text":"Zone(name, zone_start, zone_end, filename)
"},{"location":"api/gef/#class-classproperty","title":"classclassproperty","text":"Make the attribute a classproperty.
This file was automatically generated via lazydocs.
"},{"location":"commands/aliases/","title":"aliases","text":""},{"location":"commands/aliases/#command-aliases","title":"Commandaliases","text":"Base command to add, remove, and list GEF defined aliases.
gef\u27a4 aliases\naliases (add|rm|list)\nGEF defines its own aliasing mechanism which overrides the traditional alias that GDB provides through the built-in command alias. To add a new alias, simply use the aliases add command. The \"command\" parameter may contain spaces.
aliases add [alias] [command]\nTo remove an alias, simply use the aliases rm command.
aliases rm [alias]\nOne can list aliases by using the aliases ls command. Some sample output of this command is seen below.
[+] Aliases defined:\nfmtstr-helper \u2192 format-string-helper\ntelescope \u2192 dereference\ndps \u2192 dereference\ndq \u2192 hexdump qword\ndd \u2192 hexdump dword\ndw \u2192 hexdump word\ndc \u2192 hexdump byte\ncs-dis \u2192 capstone-disassemble\nctx \u2192 context\nstart-break \u2192 entry-break\nps \u2192 process-search\n[...]\nUsers can also create/modify/delete aliases by editing the GEF configuration file, by default located at ~/.gef.rc. The aliases must be in the aliases section of the configuration file.
Creating a new alias is as simple as creating a new entry in this section:
$ nano ~/.gef.rc\n[...]\n[aliases]\nmy-new-alias = gdb-or-gef-command <arg1> <arg2> <etc...>\nFor example, for those (like me) who use WinDBG and like its bindings, they can be integrated into GDB via GEF aliases like this:
$ nano ~/.gef.rc\n[...]\n[aliases]\n# some windbg aliases\ndps = dereference\ndq = hexdump qword\ndd = hexdump dword\ndw = hexdump word\ndc = hexdump byte\ndt = pcustom\nbl = info breakpoints\nbp = break\nbe = enable breakpoints\nbd = disable breakpoints\nbc = delete breakpoints\ntbp = tbreak\ntba = thbreak\npa = advance\nptc = finish\nt = stepi\np = nexti\ng = gef run\nuf = disassemble\nOr here are some PEDA aliases for people used to using PEDA who made the smart move to GEF.
# some peda aliases\ntelescope = dereference\nstart = entry-break\nstack = dereference -l 10 $sp\nargv = show args\nkp = info stack\nfindmem = search-pattern\nThe aliases will be loaded next time you load GDB (and GEF). Or you can force GEF to reload the settings with the command:
gef\u27a4 gef restore\naslr","text":"Easily check, enable or disable ASLR on the debugged binary.
Check the status:
gef\u27a4 aslr\nASLR is currently disabled\nActivate ASLR:
gef\u27a4 aslr on\n[+] Enabling ASLR\ngef\u27a4 aslr\nASLR is currently enabled\nDe-activate ASLR:
gef\u27a4 aslr off\n[+] Disabling ASLR\nNote: This command cannot affect a process that has already been loaded, to which GDB attached to later. The only way to disable this randomization is by setting the kernel setting /proc/sys/kernel/randomize_va_space to 0..
canary","text":"If the currently debugged process was compiled with the Smash Stack Protector (SSP) - i.e. the -fstack-protector flag was passed to the compiler, this command will display the value of the canary. This makes it convenient to avoid manually searching for this value in memory.
The command canary does not take any arguments.
gef\u27a4 canary\nchecksec","text":"The checksec command is inspired from checksec.sh. It provides a convenient way to determine which security protections are enabled in a binary.
You can use the command on the currently debugged process:
gef\u27a4 checksec\n[+] checksec for '/vagrant/test-bin'\nCanary: No\nNX Support: Yes\nPIE Support: No\nNo RPATH: Yes\nNo RUNPATH: Yes\nPartial RelRO: Yes\nFull RelRO: No\nOr specify directly the binary to check, for example:
$ gdb -ex \"checksec ./tests/test-x86\"\ngef config","text":"gef reads its config from a file which is by default located at ~/.gef.rc, but which can also be specified via the GEF_RC environment variable. In addition, gef can also be configured at runtime with the gef config command.
To view all settings for all commands loaded:
gef\u27a4 gef config\nOr to get one setting value:
gef\u27a4 gef config pcustom.struct_path\nOf course you can edit the values. For example, if you want the screen to be cleared before displaying the current context when reaching a breakpoing:
gef\u27a4 gef config context.clear_screen 1\nTo save the current settings for GEF to the file system to have those options persist across all your future GEF sessions, simply run:
gef\u27a4 gef save\n[+] Configuration saved to '/home/vagrant/.gef.rc'\nUpon startup, if $GEF_RC points to an existing file, or otherwise if ${HOME}/.gef.rc exists, gef will automatically load its values.
To reload the settings during the session, just run:
gef\u27a4 gef restore\n[+] Configuration from '/home/hugsy/.gef.rc' restored\nYou can tweak this configuration file outside your gdb session to suit your needs.
context","text":"gef (not unlike PEDA or fG! famous gdbinit) provides comprehensive context menu when hitting a breakpoint.
reg command.As well as using the built-in context panes, you can add your own custom pane that will be displayed at each break-like event with all the other panes. Custom panes can be added using the API:
register_external_context_pane(pane_name, display_pane_function, pane_title_function)\nCheck the API documentation to see a full usage of the registration API.
"},{"location":"commands/context/#editing-context-layout","title":"Editing context layout","text":"gef allows you to configure your own setup for the display, by re-arranging the order with which contexts will be displayed.
gef\u27a4 gef config context.layout\nThere are currently 6 sections that can be displayed:
legend : a text explanation of the color coderegs : the state of registersstack : the content of memory pointed by $sp registercode : the code being executedargs : if stopping at a function calls, print the call argumentssource : if compiled with source, this will show the corresponding line of source codethreads : all the threadstrace : the execution call traceextra : if an automatic behavior is detected (vulnerable format string, heap vulnerability, etc.) it will be displayed in this panememory : peek into arbitrary memory locationsTo hide a section, simply use the context.layout setting, and prepend the section name with - or just omit it.
gef\u27a4 gef config context.layout \"-legend regs stack code args -source -threads -trace extra memory\"\nThis configuration will not display the legend, source, threads, and trace sections.
The memory pane will display the content of all locations specified by the memory command. For instance,
gef\u27a4 memory watch $sp 0x40 byte\nwill print a hexdump version of 0x40 bytes of the stack. This command makes it convenient for tracking the evolution of arbitrary locations in memory. Tracked locations can be removed one by one using memory unwatch, or altogether with memory reset.
The size of most sections are also customizable:
nb_lines_stack configures how many lines of the stack to show.nb_lines_backtrack configures how many lines of the backtrace to show.nb_lines_code and nb_lines_code_prev configure how many lines to show after and before the PC, respectively.context.nb_lines_threads determines the number of lines to display inside the thread pane. This is convenient when debugging heavily multi-threaded applications (apache2, firefox, etc.). It receives an integer as value: if this value is -1 then all threads state will be displayed. Otherwise, if the value is set to N, then at most N thread states will be shown.To have the stack displayed with the largest stack addresses on top (i.e., grow the stack downward), enable the following setting:
gef\u27a4 gef config context.grow_stack_down True\nIf the saved instruction pointer is not within the portion of the stack being displayed, then a section is created that includes the saved ip and depending on the architecture the frame pointer.
0x00007fffffffc9e8\u2502+0x00: 0x00007ffff7a2d830 \u2192 <__main+240> mov edi, eax ($current_frame_savedip)\n0x00007fffffffc9e0\u2502+0x00: 0x00000000004008c0 \u2192 <__init+0> push r15 \u2190 $rbp\n. . . (440 bytes skipped)\n0x00007fffffffc7e8\u2502+0x38: 0x0000000000000000\n0x00007fffffffc7e0\u2502+0x30: 0x0000000000000026 (\"&\"?)\n0x00007fffffffc7d8\u2502+0x28: 0x0000000001958ac0\n0x00007fffffffc7d0\u2502+0x20: 0x00007ffff7ffa2b0 \u2192 0x5f6f7364765f5f00\n0x00007fffffffc7c8\u2502+0x18: 0x00007fff00000000\n0x00007fffffffc7c0\u2502+0x10: 0x00007fffffffc950 \u2192 0x0000000000000000\n0x00007fffffffc7b8\u2502+0x08: 0x0000000000000000\n0x00007fffffffc7b0\u2502+0x00: 0x00007fffffffc7e4 \u2192 0x0000000000000000 \u2190 $rsp\nBy default, the gef context will be displayed on the current TTY. This can be overridden by setting context.redirect variable to have the context sent to another section.
To do so, select the TTY/file/socket/etc. you want the context redirected to with gef config.
Enter the command tty in the prompt:
$ tty\n/dev/pts/0\nThen tell gef about it!
gef\u27a4 gef config context.redirect /dev/pts/0\nEnjoy:
To go back to normal, remove the value:
gef\u27a4 gef config context.redirect \"\"\nYou can display a single section by specifying it as an argument:
gef\u27a4 context regs\nMultiple sections can be provided, even if they are not part of the current layout:
gef\u27a4 context regs stack\ngef\u27a4 gef config context.layout \"code regs stack\"\ngef\u27a4 gef config context.enable 0\ngef\u27a4 gef config context.clear_screen 1\nregs section (more compact):gef\u27a4 gef config context.show_registers_raw 1\ngef\u27a4 gef config context.show_opcodes_size 4\ngef\u27a4 gef config context.peek_calls False\ngef\u27a4 gef config context.ignore_registers \"$cs $ds $gs\"\ngef\u27a4 gef config context.show_source_code_variable_values 0\ngef\u27a4 gef config context.libc_args True\ngef\u27a4 gef config context.libc_args_path /path/to/gef-extras/libc_args\ndereference","text":"The dereference command (also aliased telescope for PEDA former users) aims to simplify the dereferencing of an address in GDB to determine the content it actually points to.
It is a useful convienence function to spare to process of manually tracking values with successive x/x in GDB.
dereference takes three optional arguments, a start address (or symbol or register, etc) to dereference (by default, $sp), the number of consecutive addresses to dereference (by default, 10) and the base location for offset calculation (by default the same as the start address):
gef\u27a4 dereference\n0x00007fffffffdec0\u2502+0x0000: 0x00007ffff7ffe190 \u2192 0x0000555555554000 \u2192 jg 0x555555554047 \u2190 $rsp, $r13\n0x00007fffffffdec8\u2502+0x0008: 0x00007ffff7ffe730 \u2192 0x00007ffff7fd3000 \u2192 0x00010102464c457f\n0x00007fffffffded0\u2502+0x0010: 0x00007ffff7faa000 \u2192 0x00007ffff7de9000 \u2192 0x03010102464c457f\n0x00007fffffffded8\u2502+0x0018: 0x00007ffff7ffd9f0 \u2192 0x00007ffff7fd5000 \u2192 0x00010102464c457f\n0x00007fffffffdee0\u2502+0x0020: 0x00007fffffffdee0 \u2192 [loop detected]\n0x00007fffffffdee8\u2502+0x0028: 0x00007fffffffdee0 \u2192 0x00007fffffffdee0 \u2192 [loop detected]\n0x00007fffffffdef0\u2502+0x0030: 0x00000000f7fa57e3\n0x00007fffffffdef8\u2502+0x0038: 0x0000555555755d60 \u2192 0x0000555555554a40 \u2192 cmp BYTE PTR [rip+0x201601], 0x0 # 0x555555756048\n0x00007fffffffdf00\u2502+0x0040: 0x0000000000000004\n0x00007fffffffdf08\u2502+0x0048: 0x0000000000000001\nHere is an example with arguments:
gef\u27a4 telescope $rbp+0x10 -l 8\n0x00007fffffffdf40\u2502+0x0000: 0x00007ffff7fa5760 \u2192 0x00000000fbad2887\n0x00007fffffffdf48\u2502+0x0008: 0x00000001f7e65b63\n0x00007fffffffdf50\u2502+0x0010: 0x0000000000000004\n0x00007fffffffdf58\u2502+0x0018: 0x0000000000000000\n0x00007fffffffdf60\u2502+0x0020: 0x00007fffffffdfa0 \u2192 0x0000555555554fd0 \u2192 push r15\n0x00007fffffffdf68\u2502+0x0028: 0x0000555555554980 \u2192 xor ebp, ebp\n0x00007fffffffdf70\u2502+0x0030: 0x00007fffffffe080 \u2192 0x0000000000000001\n0x00007fffffffdf78\u2502+0x0038: 0x0000000000000000\nIt also optionally accepts a second argument, the number of consecutive addresses to dereference (by default, 10).
For example, if you want to dereference all the stack entries inside a function context (on a 64bit architecture):
gef\u27a4 p ($rbp - $rsp)/8\n$3 = 4\ngef\u27a4 dereference -l 5\n0x00007fffffffe170\u2502+0x0000: 0x0000000000400690 \u2192 push r15 \u2190 $rsp\n0x00007fffffffe178\u2502+0x0008: 0x0000000000400460 \u2192 xor ebp, ebp\n0x00007fffffffe180\u2502+0x0010: 0x00007fffffffe270 \u2192 0x1\n0x00007fffffffe188\u2502+0x0018: 0x1\n0x00007fffffffe190\u2502+0x0020: 0x0000000000400690 \u2192 push r15 \u2190 $rbp\nIt is possible to change the offset calculation to use a different address than the start address:
gef\u27a4 dereference $sp -l 7 -r $rbp\n0x00007ffe6ddaa3e0\u2502-0x0030: 0x0000000000000000 \u2190 $rsp\n0x00007ffe6ddaa3e8\u2502-0x0028: 0x0000000000400970 \u2192 <__libc_csu_init+0> push r15\n0x00007ffe6ddaa3f0\u2502-0x0020: 0x0000000000000000\n0x00007ffe6ddaa3f8\u2502-0x0018: 0x00000000004006e0 \u2192 <_start+0> xor ebp, ebp\n0x00007ffe6ddaa400\u2502-0x0010: 0x00007ffe6ddaa500 \u2192 0x0000000000000001\n0x00007ffe6ddaa408\u2502-0x0008: 0xa42456b3ee465800\n0x00007ffe6ddaa410\u2502+0x0000: 0x0000000000000000 \u2190 $rbp\nJust like with x, you can pass a negative number of addresses to dereference, to examine memory backwards from the start address:
gef\u27a4 dereference $sp -l 3\n0x00007fffffffcf90\u2502+0x0010: 0x00007ffff7f5aaa0 \u2192 0x0000000000000000\n0x00007fffffffcf88\u2502+0x0008: 0x00000000000204a0\n0x00007fffffffcf80\u2502+0x0000: 0x00005555555a6b60 \u2192 0x0000000000000000 \u2190 $rsp\ngef\u27a4 dereference $sp -l -3\n0x00007fffffffcf80\u2502+0x0000: 0x00005555555a6b60 \u2192 0x0000000000000000 \u2190 $rsp\n0x00007fffffffcf78\u2502-0x0008: 0x0000000000000020 (\" \"?)\n0x00007fffffffcf70\u2502-0x0010: 0x000000000000000a (\"\\n\"?)\nedit-flags","text":"The edit-flags command (alias: flags) provides a quick and comprehensible way to view and edit the flag register for the architectures that support it. Without argument, the command will simply return a human-friendly display of the register flags.
One or many arguments can be provided, following the syntax below:
gef\u27a4 flags [(+|-|~)FLAGNAME ...]\nWhere FLAGNAME is the name of the flag (case insensitive), and +|-|~ indicates the action on whether to set, unset, or toggle the flag.
For instance, on x86 architecture, if we don't want to take a conditional jump (e.g. a jz instruction), but we want to have the Carry flag set, simply go with:
gef\u27a4 flags -ZERO +CARRY\nelf-info","text":"elf-info (alias elf) provides some basic information on the currently loaded ELF binary:
gef\u27a4 elf\nMagic : 7f 45 4c 46\nClass : 0x2 - 64-bit\nEndianness : 0x1 - Little-Endian\nVersion : 0x1\nOS ABI : 0x0 - System V\nABI Version : 0x0\nType : 0x2 - Executable\nMachine : 0x3e - x86-64\nProgram Header Table : 0x0000000000000040\nSection Header Table : 0x00000000000021a8\nHeader Table : 0x0000000000000040\nELF Version : 0x1\nHeader size : 64 (0x40)\nEntry point : 0x0000000000400750\n\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Program Header \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n [ #] Type Offset Virtaddr Physaddr FileSiz MemSiz Flags Align\n [ 0] PHDR 0x40 0x400040 0x400040 0x1f8 0x1f8 R-X 0x8\n [ 1] INTERP 0x238 0x400238 0x400238 0x1c 0x1c R-- 0x1\n [ 2] LOAD 0x0 0x400000 0x400000 0x1414 0x1414 R-X 0x200000\n [ 3] LOAD 0x1e10 0x601e10 0x601e10 0x268 0x330 RW- 0x200000\n [ 4] DYNAMIC 0x1e28 0x601e28 0x601e28 0x1d0 0x1d0 RW- 0x8\n [ 5] NOTE 0x254 0x400254 0x400254 0x44 0x44 R-- 0x4\n [ 6] GNU_EH_FLAME 0x11a0 0x4011a0 0x4011a0 0x74 0x74 R-- 0x4\n [ 7] GNU_STACK 0x0 0x0 0x0 0x0 0x0 RW- 0x10\n [ 8] GNU_RELRO 0x1e10 0x601e10 0x601e10 0x1f0 0x1f0 R-- 0x1\n\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Section Header \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n [ #] Name Type Address Offset Size EntSiz Flags Link Info Align\n [ 0] NULL 0x0 0x0 0x0 0x0 0x0 0x0 0x0\n [ 1] .interp PROGBITS 0x400238 0x238 0x1c 0x0 A 0x0 0x0 0x1\n [ 2] .note.ABI-tag NOTE 0x400254 0x254 0x20 0x0 A 0x0 0x0 0x4\n [ 3] .note.gnu.build-id NOTE 0x400274 0x274 0x24 0x0 A 0x0 0x0 0x4\n [ 4] .gnu.hash GNU_HASH 0x400298 0x298 0x30 0x0 A 0x5 0x0 0x8\n [ 5] .dynsym DYNSYM 0x4002c8 0x2c8 0x168 0x18 A 0x6 0x1 0x8\n [ 6] .dynstr STRTAB 0x400430 0x430 0x96 0x0 A 0x0 0x0 0x1\n [ 7] .gnu.version HIOS 0x4004c6 0x4c6 0x1e 0x2 A 0x5 0x0 0x2\n [ 8] .gnu.version_r GNU_verneed 0x4004e8 0x4e8 0x30 0x0 A 0x6 0x1 0x8\n [ 9] .rela.dyn RELA 0x400518 0x518 0x60 0x18 A 0x5 0x0 0x8\n [10] .rela.plt RELA 0x400578 0x578 0xf0 0x18 AI 0x5 0x18 0x8\n [11] .init PROGBITS 0x400668 0x668 0x1a 0x0 AX 0x0 0x0 0x4\n [12] .plt PROGBITS 0x400690 0x690 0xb0 0x10 AX 0x0 0x0 0x10\n [13] .plt.got PROGBITS 0x400740 0x740 0x8 0x0 AX 0x0 0x0 0x8\n [14] .text PROGBITS 0x400750 0x750 0x842 0x0 AX 0x0 0x0 0x10\n [15] .fini PROGBITS 0x400f94 0xf94 0x9 0x0 AX 0x0 0x0 0x4\n [16] .rodata PROGBITS 0x400fa0 0xfa0 0x200 0x0 A 0x0 0x0 0x8\n [17] .eh_frame_hdr PROGBITS 0x4011a0 0x11a0 0x74 0x0 A 0x0 0x0 0x4\n [18] .eh_frame PROGBITS 0x401218 0x1218 0x1fc 0x0 A 0x0 0x0 0x8\n [19] .init_array INIT_ARRAY 0x601e10 0x1e10 0x8 0x0 WA 0x0 0x0 0x8\n [20] .fini_array FINI_ARRAY 0x601e18 0x1e18 0x8 0x0 WA 0x0 0x0 0x8\n [21] .jcr PROGBITS 0x601e20 0x1e20 0x8 0x0 WA 0x0 0x0 0x8\n [22] .dynamic DYNAMIC 0x601e28 0x1e28 0x1d0 0x10 WA 0x6 0x0 0x8\n [23] .got PROGBITS 0x601ff8 0x1ff8 0x8 0x8 WA 0x0 0x0 0x8\n [24] .got.plt PROGBITS 0x602000 0x2000 0x68 0x8 WA 0x0 0x0 0x8\n [25] .data PROGBITS 0x602068 0x2068 0x10 0x0 WA 0x0 0x0 0x8\n [26] .bss NOBITS 0x602080 0x2078 0xc0 0x0 WA 0x0 0x0 0x20\n [27] .comment PROGBITS 0x0 0x2078 0x34 0x1 MS 0x0 0x0 0x1\n [28] .shstrtab STRTAB 0x0 0x20ac 0xfc 0x0 0x0 0x0 0x1\nOptionally a filepath to another ELF binary can be provided to view the basic information for that binary instead.
gef\u27a4 elf-info --filename /path/to/elf/executable\nentry-break","text":"The entry-break (alias start) command's goal is to find and break at the most obvious entry point available in the binary. Since the binary will start running, some of the PLT entries will also be resolved, making further debugging easier.
It will perform the following actions:
main symbol. If found, set a temporary breakpoint and go.__libc_start_main. If found, set a temporary breakpoint and go.$","text":"The $ command attempts to mimic WinDBG ? command.
When provided one argument, it will evaluate the expression, and try to display the result with various formats:
gef\u27a4 $ $pc+1\n93824992252977\n0x555555559431\n0b10101010101010101010101010101011001010000110001\nb'UUUU\\x941'\nb'1\\x94UUUU'\n\ngef\u27a4 $ -0x1000\n-4096\n0xfffffffffffff000\n0b1111111111111111111111111111111111111111111111111111000000000000\nb'\\xff\\xff\\xff\\xff\\xff\\xff\\xf0\\x00'\nb'\\x00\\xf0\\xff\\xff\\xff\\xff\\xff\\xff'\nWith two arguments, it will simply compute the delta between them:
gef\u27a4 vmmap libc\nStart End Offset Perm\n0x00007ffff7812000 0x00007ffff79a7000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.24.so\n0x00007ffff79a7000 0x00007ffff7ba7000 0x0000000000195000 --- /lib/x86_64-linux-gnu/libc-2.24.so\n0x00007ffff7ba7000 0x00007ffff7bab000 0x0000000000195000 r-- /lib/x86_64-linux-gnu/libc-2.24.so\n0x00007ffff7bab000 0x00007ffff7bad000 0x0000000000199000 rw- /lib/x86_64-linux-gnu/libc-2.24.so\n\ngef\u27a4 $ 0x00007ffff7812000 0x00007ffff79a7000\n-1658880\n1658880\n\ngef\u27a4 $ 1658880\n1658880\n0x195000\n0b110010101000000000000\nb'\\x19P\\x00'\nb'\\x00P\\x19'\nformat-string-helper","text":"The format-string-helper command will create a GEF specific type of breakpoints dedicated to detecting potentially insecure format string when using the GlibC library.
It will use this new breakpoint against several targets, including:
printf()sprintf()fprintf()snprintf()vsnprintf()Just call the command to enable this functionality.
fmtstr-helper is a shorter alias.
gef\u27a4 fmtstr-helper\nThen start the binary execution.
gef\u27a4 r\nIf a potentially insecure entry is found, the breakpoint will trigger, stop the process execution, display the reason for trigger and the associated context.
"},{"location":"commands/functions/","title":"functions","text":""},{"location":"commands/functions/#command-functions","title":"Commandfunctions","text":"The functions command will list all of the convenience functions provided by GEF.
$_base([filepath]) -- Return the matching file's base address plus an optional offset. Defaults to the current file. Note that quotes need to be escaped.$_bss([offset]) -- Return the current bss base address plus the given offset.$_got([offset]) -- Return the current bss base address plus the given offset.$_heap([offset]) -- Return the current heap base address plus an optional offset.$_stack([offset]) -- Return the current stack base address plus an optional offset.These functions can be used as arguments to other commands to dynamically calculate values.
gef\u27a4 deref -l 4 $_heap()\n0x0000000000602000\u2502+0x00: 0x0000000000000000 \u2190 $r8\n0x0000000000602008\u2502+0x08: 0x0000000000000021 (\"!\"?)\n0x0000000000602010\u2502+0x10: 0x0000000000000000 \u2190 $rax, $rdx\n0x0000000000602018\u2502+0x18: 0x0000000000000000\ngef\u27a4 deref -l 4 $_heap(0x20)\n0x0000000000602020\u2502+0x00: 0x0000000000000000 \u2190 $rsi\n0x0000000000602028\u2502+0x08: 0x0000000000020fe1\n0x0000000000602030\u2502+0x10: 0x0000000000000000\n0x0000000000602038\u2502+0x18: 0x0000000000000000\ngef\u27a4 deref -l 4 $_base(\\\"libc\\\")\n0x00007ffff7da9000\u2502+0x0000: 0x03010102464c457f\n0x00007ffff7da9008\u2502+0x0008: 0x0000000000000000\n0x00007ffff7da9010\u2502+0x0010: 0x00000001003e0003\n0x00007ffff7da9018\u2502+0x0018: 0x0000000000027c60\ngef-remote","text":"target remote is the traditional GDB way of debugging process or system remotely. However this command by itself does a limited job (80's bandwith FTW) to collect more information about the target, making the process of debugging more cumbersome. GEF greatly improves that state with the gef-remote command.
\ud83d\udcdd Note: If using GEF, gef-remote must be your way or debugging remote processes, never target remote. Maintainers will not provide support or help if you decide to use the traditional target remote command. For many reasons, you cannot use target remote alone with GEF.
gef-remote can function in 2 ways: - remote which is meant to enrich use of GDB target remote command, when connecting to a \"real\" gdbserver instance - qemu-mode when connecting to GDB stab of either qemu-user or qemu-system.
The reason for this difference being that Qemu provides a lot less information that GEF can extract to enrich debugging. Whereas GDBServer allows to download remote file (therefore allowing to create a small identical environment), GDB stub in Qemu does not support file transfer. As a consequence, in order to use GEF in qemu mode, it is required to provide the binary being debugged. GEF will create a mock (limited) environment so that all its most useful features are available.
"},{"location":"commands/gef-remote/#remote-mode","title":"Remote mode","text":""},{"location":"commands/gef-remote/#remote","title":"remote","text":"If you want to remotely debug a binary that you already have, you simply need to tell to gdb where to find the debug information.
For example, if we want to debug uname, we do on the server:
$ gdbserver :1234 /tmp/default.out\nProcess /tmp/default.out created; pid = 258932\nListening on port 1234\nOn the client, when the original gdb would use target remote, GEF's syntax is roughly similar (shown running in debug mode for more verbose output, but you don't have to):
$ gdb -ex 'gef config gef.debug 1'\nGEF for linux ready, type `gef' to start, `gef config' to configure\n90 commands loaded and 5 functions added for GDB 10.2 using Python engine 3.8\ngef\u27a4 gef-remote localhost 1234\n[=] [remote] initializing remote session with localhost:1234 under /tmp/tmp8qd0r7iw\n[=] [remote] Installing new objfile handlers\n[=] [remote] Enabling extended remote: False\n[=] [remote] Executing 'target remote localhost:1234'\nReading /tmp/default.out from remote target...\nwarning: File transfers from remote targets can be slow. Use \"set sysroot\" to access files locally instead.\nReading /tmp/default.out from remote target...\nReading symbols from target:/tmp/default.out...\n[=] [remote] in remote_objfile_handler(target:/tmp/default.out))\n[=] [remote] downloading '/tmp/default.out' -> '/tmp/tmp8qd0r7iw/tmp/default.out'\nReading /lib64/ld-linux-x86-64.so.2 from remote target...\nReading /lib64/ld-linux-x86-64.so.2 from remote target...\n[=] [remote] in remote_objfile_handler(/usr/lib/debug/.build-id/45/87364908de169dec62ffa538170118c1c3a078.debug))\n[=] [remote] in remote_objfile_handler(target:/lib64/ld-linux-x86-64.so.2))\n[=] [remote] downloading '/lib64/ld-linux-x86-64.so.2' -> '/tmp/tmp8qd0r7iw/lib64/ld-linux-x86-64.so.2'\n[=] [remote] in remote_objfile_handler(system-supplied DSO at 0x7ffff7fcd000))\n[*] [remote] skipping 'system-supplied DSO at 0x7ffff7fcd000'\n0x00007ffff7fd0100 in _start () from target:/lib64/ld-linux-x86-64.so.2\n[=] Setting up as remote session\n[=] [remote] downloading '/proc/258932/maps' -> '/tmp/tmp8qd0r7iw/proc/258932/maps'\n[=] [remote] downloading '/proc/258932/environ' -> '/tmp/tmp8qd0r7iw/proc/258932/environ'\n[=] [remote] downloading '/proc/258932/cmdline' -> '/tmp/tmp8qd0r7iw/proc/258932/cmdline'\n[...]\nAnd finally breaking into the program, showing the current context:
You will also notice the prompt has changed to indicate the debugging mode is now \"remote\". Besides that, all of GEF features are available:
"},{"location":"commands/gef-remote/#remote-extended","title":"remote-extended","text":"Extended mode works the same as remote. Being an extended session, gdbserver has not spawned or attached to any process. Therefore, all that's required is to add the --pid flag when calling gef-remote, along with the process ID of the process to debug.
Qemu mode of gef-remote allows to connect to the Qemu GDB stub which allows to live debug into either a binary (qemu-user) or even the kernel (qemu-system), of any architecture supported by GEF, which makes now even more sense \ud83d\ude09 And using it is very straight forward.
qemu-user","text":"qemu-x86_64 :1234 /bin/ls--qemu-user and --qemu-binary /bin/ls when starting gef-remoteqemu-system","text":"To test locally, you can use the mini image linux x64 vm here. 1. Run ./run.sh 2. Use --qemu-user and --qemu-binary vmlinuz when starting gef-remote
gef","text":""},{"location":"commands/gef/#gef-base-command","title":"GEF Base Command","text":"Displays a list of GEF commands and their descriptions.
gef\u27a4 gef\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 GEF - GDB Enhanced Features \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n$ -- SmartEval: Smart eval (vague approach to mimic WinDBG `?`).\naslr -- View/modify the ASLR setting of GDB. By default, GDB will disable ASLR when it starts the process. (i.e. not\n attached). This command allows to change that setting.\nassemble -- Inline code assemble. Architecture can be set in GEF runtime config (default x86-32). (alias: asm)\nbincompare -- BincompareCommand: compare an binary file with the memory position looking for badchars.\nbytearray -- BytearrayCommand: Generate a bytearray to be compared with possible badchars.\n\n[...snip...]\n\nGEF is fully battery-included. However in some rare cases, it is possible that not all commands be loaded. If that's the case the command gef missing will detail which command failed to load, along with a (likely) reason. Read the documentation for a solution, or reach out on the Discord.
gef\u27a4 gef missing\n[*] Command `XXXX` is missing, reason \u2192 YYYYY.\nAllows the user to set/view settings for the current debugging session. For making the changes persistent see the gef save entry.
Using gef config by itself just shows all of the available settings and their values.
gef\u27a4 gef config\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 GEF configuration settings \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ncontext.clear_screen (bool) = False\ncontext.enable (bool) = True\ncontext.grow_stack_down (bool) = False\ncontext.ignore_registers (str) = \"\"\ncontext.layout (str) = \"-code -stack\"\ncontext.libc_args (bool) = False\n\n[...snip...]\n\nTo filter the config settings you can use gef config [setting].
gef\u27a4 gef config theme\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 GEF configuration settings matching 'theme' \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ntheme.context_title_line (str) = \"gray\"\ntheme.context_title_message (str) = \"cyan\"\ntheme.default_title_line (str) = \"gray\"\ntheme.default_title_message (str) = \"cyan\"\n\n[...snip...]\n\nYou can use gef config [setting] [value] to set a setting for the current session (see example below).
gef\u27a4 gef config theme.address_stack blue\nThe gef save command saves the current settings (set with gef config) to the user's ~/.gef.rc file (making the changes persistent).
gef\u27a4 gef save\n[+] Configuration saved to '/home/michael/.gef.rc'\nUsing gef restore loads and applies settings from the ~/.gef.rc file to the current session. This is useful if you are modifying your GEF configuration file and want to see the changes without completely reloading GEF.
gef\u27a4 gef restore\n[+] Configuration from '/home/michael/.gef.rc' restored\nThe GEF set command allows the user to use GEF context within GDB set commands. This is useful when you want to make a convenient variable which can be set and referenced later.
gef\u27a4 gef set $a=1\nThe GEF run command is a wrapper around GDB's run command, allowing the user to use GEF context within the command.
gef\u27a4 gef run ./binary\ngef install allows to install one (or more) specific script(s) from gef-extras. The new scripts will be downloaded and sourced to be used immediately after by GEF. The syntax is straight forward:
gef\u27a4 gef install SCRIPTNAME1 [SCRIPTNAME2...]\nWhere SCRIPTNAME1 ... are the names of script from the gef-extras repository.
gef\u27a4 gef install remote windbg stack\n[+] Searching for 'remote.py' in `gef-extras@main`...\n[+] Installed file '/tmp/gef/remote.py', new command(s) available: `rpyc-remote`\n[+] Searching for 'windbg.py' in `gef-extras@main`...\n[+] Installed file '/tmp/gef/windbg.py', new command(s) available: `pt`, `hh`, `tt`, `ptc`, `sxe`, `u`, `xs`, `tc`, `pc`, `g`, `r`\n[+] Searching for 'stack.py' in `gef-extras@main`...\n[+] Installed file '/tmp/gef/stack.py', new command(s) available: `current-stack-frame`\ngef\u27a4\nThis makes it easier to deploy new functionalities in limited environment. By default, the command looks up for script names in the main branch of gef-extras. However you can change specify a different branch through the gef.default_branch configuration setting:
gef\u27a4 gef config gef.default_branch dev\nThe files will be dowloaded in the path configured in the gef.extra_plugins_dir setting, allowing to reload it easily without having to re-download.
got","text":"Display the current state of GOT table of the running process.
The got command optionally takes function names and filters the output displaying only the matching functions.
gef\u27a4 got\nThe applied filter partially matches the name of the functions, so you can do something like this.
gef\u27a4 got str\ngef\u27a4 got print\ngef\u27a4 got read\nExample of multiple partial filters:
gef\u27a4 got str get\nheap-analysis-helper","text":"Please note: This feature is still under development, expect bugs and unstability.
heap-analysis-helper command aims to help the process of idenfitying Glibc heap inconsistencies by tracking and analyzing allocations and deallocations of chunks of memory.
Currently, the following issues can be tracked:
The helper can simply be activated by running the command heap-analysis-helper.
gef\u27a4 heap-analysis\n[+] Tracking malloc()\n[+] Tracking free()\n[+] Disabling hardware watchpoints (this may increase the latency)\n[+] Dynamic breakpoints correctly setup, GEF will break execution if a possible vulnerabity is found.\n[+] To disable, clear the malloc/free breakpoints (`delete breakpoints`) and restore hardware breakpoints (`set can-use-hw-watchpoints 1`)\nThe helper will create specifically crafted breakoints to keep tracks of allocation, which allows to discover potential vulnerabilities. Once activated, one can disable the heap analysis breakpoints simply by clearing the __GI___libc_free() et __GI___libc_malloc(). It is also possible to enable/disable manually punctual checks via the gef config command.
The following settings are accepted:
check_null_free: to break execution when a free(NULL) is encountered (disabled by default);check_double_free: to break execution when a double free is encountered;check_weird_free: to execution when free() is called against a non-tracked pointer;check_uaf: to break execution when a possible Use-after-Free condition is found.Just like the format string vulnerability helper, the heap-analysis-helper can fail to detect complex heap scenarios and/or provide some false positive alerts. Each finding must of course be ascertained manually.
The heap-analysis-helper can also be used to simply track allocation and liberation of chunks of memory. One can simply enable the tracking by setting all the configurations stated above to False:
gef\u27a4 gef config heap-analysis-helper.check_double_free False\ngef\u27a4 gef config heap-analysis-helper.check_free_null False\ngef\u27a4 gef config heap-analysis-helper.check_weird_free False\ngef\u27a4 gef config heap-analysis-helper.check_uaf False\nThen gef will not notify you of any inconsistency detected, but simply display a clear message when a chunk is allocated/freed.
To get information regarding the currently tracked chunks, use the show subcommand:
gef\u27a4 heap-analysis-helper show\nheap","text":"The heap command provides information on the heap chunk specified as argument. For the moment, it only supports GlibC heap format (see this link for malloc structure information). Syntax to the subcommands is straight forward:
gef\u27a4 heap <sub_commands>\nmain_arena symbol","text":"If the linked glibc of the target program does not have debugging symbols it might be tricky for GEF to find the address of the main_arena which is needed for most of the heap subcommands. If you know the offset of this symbol from the glibc base address you can use GEF's config to provide said value:
gef\u27a4 gef config gef.main_arena_offset <offset>\nIf you do not know this offset and you want GEF to try and find it via bruteforce when executing a heap command the next time, you can try this instead:
gef\u27a4 gef config gef.bruteforce_main_arena True\nNote that this might take a few seconds to complete. If GEF does find the symbol you can then calculate the offset to the libc base address and save it in the config.
"},{"location":"commands/heap/#heap-chunks-command","title":"heap chunks command","text":"Displays all the chunks from the heap section of the current arena.
gef\u27a4 heap chunks\nTo select from which arena to display chunks either use the heap set-arena command or provide the base address of the other arena like this:
gef\u27a4 heap chunks [arena_address]\nIn order to display the chunks of all the available arenas at once use
gef\u27a4 heap chunks -a\nBecause usually the heap chunks are aligned to a certain number of bytes in memory GEF automatically re-aligns the chunks data start addresses to match Glibc's behavior. To be able to view unaligned chunks as well, you can disable this with the --allow-unaligned flag. Note that this might result in incorrect output.
heap chunk command","text":"This command gives visual information of a Glibc malloc-ed chunked. Simply provide the address to the user memory pointer of the chunk to show the information related to a specific chunk:
gef\u27a4 heap chunk [address]\nBecause usually the heap chunks are aligned to a certain number of bytes in memory GEF automatically re-aligns the chunks data start addresses to match Glibc's behavior. To be able to view unaligned chunks as well, you can disable this with the --allow-unaligned flag. Note that this might result in incorrect output.
There is an optional number argument, to specify the number of chunks printed by this command. To do so, simply provide the --number argument:
gef\u27a4 heap chunk --number 6 0x4e5400\nChunk(addr=0x4e5400, size=0xd0, flags=PREV_INUSE)\nChunk(addr=0x4e54d0, size=0x1a0, flags=PREV_INUSE)\nChunk(addr=0x4e5670, size=0x200, flags=PREV_INUSE)\nChunk(addr=0x4e5870, size=0xbc0, flags=PREV_INUSE)\nChunk(addr=0x4e6430, size=0x330, flags=PREV_INUSE)\nChunk(addr=0x4e6760, size=0x4c0, flags=PREV_INUSE)\n\nheap arenas command","text":"Multi-threaded programs have different arenas, and the knowledge of the main_arena is not enough. gef therefore provides the arena sub-commands to help you list all the arenas allocated in your program at the moment you call the command.
heap set-arena command","text":"In cases where the debug symbol are not present (e.g. statically stripped binary), it is possible to instruct GEF to find the main_arena at a different location with the command:
gef\u27a4 heap set-arena [address]\nIf the arena address is correct, all heap commands will be functional, and use the specified address for main_arena.
heap bins command","text":"Glibc uses bins for keeping tracks of freed chunks. This is because making allocations through sbrk (requiring a syscall) is costly. Glibc uses those bins to remember formerly allocated chunks. Because bins are structured in single or doubly linked list, I found that quite painful to always interrogate gdb to get a pointer address, dereference it, get the value chunk, etc... So I decided to implement the heap bins sub-command, which allows to get info on:
fastbinsbinsunsortedsmall binslarge binstcachebinsheap bins fast command","text":"When exploiting heap corruption vulnerabilities, it is sometimes convenient to know the state of the fastbinsY array.
The fast sub-command helps by displaying the list of fast chunks in this array. Without any other argument, it will display the info of the main_arena arena. It accepts an optional argument, the address of another arena (which you can easily find using heap arenas).
gef\u27a4 heap bins fast\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Fastbins for arena 0x7ffff7fb8b80 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nFastbins[idx=0, size=0x20] \u2190 Chunk(addr=0x555555559380, size=0x20, flags=PREV_INUSE)\nFastbins[idx=1, size=0x30] 0x00\nFastbins[idx=2, size=0x40] 0x00\nFastbins[idx=3, size=0x50] 0x00\nFastbins[idx=4, size=0x60] 0x00\nFastbins[idx=5, size=0x70] 0x00\nFastbins[idx=6, size=0x80] 0x00\nheap bins X command","text":"All the other subcommands (with the exception of tcache) for the heap bins work the same way as fast. If no argument is provided, gef will fall back to main_arena. Otherwise, it will use the address pointed as the base of the malloc_state structure and print out information accordingly.
heap bins tcache command","text":"Modern versions of glibc use tcache bins to speed up multithreaded programs. Unlike other bins, tcache bins are allocated on a per-thread basis, so there is one set of tcache bins for each thread.
gef\u27a4 heap bins tcache [all] [thread_ids...]\nWithout any arguments, heap bins tcache will display the tcache for the current thread. heap bins tcache all will show the tcaches for every thread, or you can specify any number of thread ids to see the tcache for each of them. For example, use the following command to show the tcache bins for threads 1 and 2.
gef\u27a4 heap bins tcache 1 2\ngef help","text":"Displays the help menu for the loaded GEF commands.
gef\u27a4 gef help\nhexdump","text":"Imitation of the WinDBG command.
This command takes 4 optional arguments:
hexdump byte will also try to display the ASCII character values if the byte is printable (similarly to the hexdump -C command on Linux).
The syntax is as following:
hexdump (qword|dword|word|byte) [-h] [--reverse] [--size SIZE] [address]\nExamples:
$pc:gef\u27a4 hexdump qword $pc --size 4\n0x7ffff7a5c1c0+0000 \u2502 0x4855544155415641\n0x7ffff7a5c1c0+0008 \u2502 0x0090ec814853cd89\n0x7ffff7a5c1c0+0010 \u2502 0x377d6f058b480000\n0x7ffff7a5c1c0+0018 \u2502 0x748918247c894800\ngef\u27a4 hexdump byte 0x00007fffffffe5e5 --size 32\n0x00007fffffffe5e5 2f 68 6f 6d 65 2f 68 75 67 73 79 2f 63 6f 64 65 /home/hugsy/code\n0x00007fffffffe5f5 2f 67 65 66 2f 74 65 73 74 73 2f 77 69 6e 00 41 /gef/tests/win.A\n$sp in reverse order:gef\u27a4 hexdump word 8 --reverse\n0x00007fffffffe0ee\u2502+0x000e 0x0000\n0x00007fffffffe0ec\u2502+0x000c 0x7fff\n0x00007fffffffe0ea\u2502+0x000a 0xffff\n0x00007fffffffe0e8\u2502+0x0008 0xe3f5\n0x00007fffffffe0e6\u2502+0x0006 0x0000\n0x00007fffffffe0e4\u2502+0x0004 0x0000\n0x00007fffffffe0e2\u2502+0x0002 0x0000\n0x00007fffffffe0e0\u2502+0x0000 0x0001\nhighlight","text":"This command sets up custom highlighting for user set strings.
Syntax:
highlight (add|remove|list|clear)\nAlias:
hlThe following will add 41414141/'AAAA' as yellow, and 42424242/'BBBB' as blue:
gef\u27a4 hl add 41414141 yellow\ngef\u27a4 hl add 42424242 blue\ngef\u27a4 hl add AAAA yellow\ngef\u27a4 hl add BBBB blue\nTo remove a match, target it by the original string used, ex.:
gef\u27a4 hl rm 41414141\nTo list all matches with their colors:
gef\u27a4 hl list\n41414141 | yellow\n42424242 | blue\nAAAA | yellow\nBBBB | blue\nTo clear all matches currently setup:
gef\u27a4 hl clear\nRegEx support is disabled by default, this is done for performance reasons.
To enable regular expressions on text matches:
gef\u27a4 gef config highlight.regex True\nTo check the current status:
gef\u27a4 gef config highlight.regex\nhighlight.regex (bool) = True\nNOTE: Adding many matches may slow down debugging while using GEF. This includes enabling RegEx support.
"},{"location":"commands/highlight/#colors","title":"Colors","text":"To find a list of supported colors, check the theme documentation.
"},{"location":"commands/hijack-fd/","title":"hijack-fd","text":""},{"location":"commands/hijack-fd/#command-hijack-fd","title":"Commandhijack-fd","text":"gef can be used to modify file descriptors of the debugged process. The new file descriptor can point to a file, a pipe, a socket, a device etc.
To use it, simply run
gef\u27a4 hijack-fd FDNUM NEWFILE\nFor instance,
gef\u27a4 hijack-fd 1 /dev/null\nWill modify the current process file descriptors to redirect STDOUT to /dev/null.
This command also supports connecting to an ip:port if it is provided as an argument. For example
gef\u27a4 hijack-fd 0 localhost:8888\nWill redirect STDIN to localhost:8888
Check out the tutorial on GEF's YouTube channel:
"},{"location":"commands/ksymaddr/","title":"ksymaddr","text":""},{"location":"commands/ksymaddr/#command-ksymaddr","title":"Commandksymaddr","text":"ksymaddr helps locate a kernel symbol by its name.
The syntax is straight forward:
ksymaddr <PATTERN>\nFor example,
gef\u27a4 ksymaddr commit_creds\n[+] Found matching symbol for 'commit_creds' at 0xffffffff8f495740 (type=T)\n[*] Found partial match for 'commit_creds' at 0xffffffff8f495740 (type=T): commit_creds\n[*] Found partial match for 'commit_creds' at 0xffffffff8fc71ee0 (type=R): __ksymtab_commit_creds\n[*] Found partial match for 'commit_creds' at 0xffffffff8fc8d008 (type=r): __kcrctab_commit_creds\n[*] Found partial match for 'commit_creds' at 0xffffffff8fc9bfcd (type=r): __kstrtab_commit_creds\nNote that the debugging process needs to have the correct permissions for this command to show kernel addresses. For more information see also this stackoverflow post.
"},{"location":"commands/memory/","title":"memory","text":""},{"location":"commands/memory/#command-memory","title":"Commandmemory","text":"As long as the 'memory' section is enabled in your context layout (which it is by default), you can register addresses, lengths, and grouping size.
Note: this command shoud NOT be mistaken with the GDB watch command meant to set breakpoints on memory access (read,write,exec).
Specify a location to watch and display with the context, along with their optional size and format:
Syntax:
memory watch <ADDRESS> [SIZE] [(qword|dword|word|byte|pointers)]\nIf the format specified is pointers, then the output will be similar to executing the command dereference $address. For all other format, the output will be an hexdump of the designated location.
Note that the address format is a GDB therefore a symbol can be passed to it. It also supports GEF functions format allowing to easily track commonly used addresses:
For example, to watch the first 5 entries of the GOT as pointers:
gef \u27a4 memory watch $_got()+0x18 5\n[+] Adding memwatch to 0x555555773c50\nWhich, when the context is displayed, will show something like:
Remove a watched address. To list all the addresses being watched, use memory list.
Syntax:
memory unwatch <ADDRESS>\nEnumerate all the addresses currently watched by the memory command.
Syntax:
memory list\nThe command will output a list of all the addresses watched, along with the size and format to display them as.
"},{"location":"commands/memory/#resetting-watches","title":"Resetting watches","text":"Empties the list of addresses to watch.
Syntax:
memory reset\nname-break","text":"The command name-break (alias nb) can be used to set a breakpoint on a location with a name assigned to it.
Every time this breakpoint is hit, the specified name will also be shown in the extra section to make it easier to keep an overview when using multiple breakpoints in a stripped binary.
name-break name [address]
address may be a linespec, address, or explicit location, same as specified for break. If address isn't specified, it will create the breakpoint at the current instruction pointer address.
Examples:
nb first *0x400ec0nb \"main func\" mainnb read_secret *main+149nb check_heapExample output:
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:64 \u2500\u2500\u2500\u2500\n 0x400e04 add eax, 0xfffbe6e8\n 0x400e09 dec ecx\n 0x400e0b ret\n \u2192 0x400e0c push rbp\n 0x400e0d mov rbp, rsp\n 0x400e10 sub rsp, 0x50\n 0x400e14 mov QWORD PTR [rbp-0x48], rdi\n 0x400e18 mov QWORD PTR [rbp-0x50], rsi\n 0x400e1c mov rax, QWORD PTR fs:0x28\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0x00007fffffffe288\u2502+0x0000: 0x0000000000401117 \u2192 movzx ecx, al \u2190 $rsp\n0x00007fffffffe290\u2502+0x0008: 0x00007fffffffe4b8 \u2192 0x00007fffffffe71d \u2192 \"/ctf/t19/srv_copy\"\n0x00007fffffffe298\u2502+0x0010: 0x0000000100000000\n0x00007fffffffe2a0\u2502+0x0018: 0x0000000000000000\n0x00007fffffffe2a8\u2502+0x0020: 0x0000000000000004\n0x00007fffffffe2b0\u2502+0x0028: 0x0000000000000000\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 extra \u2500\u2500\u2500\u2500\n[+] Hit breakpoint *0x400e0c (check_entry)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4\nnop","text":"The nop command allows you to easily patch instructions with nops.
nop [LOCATION] [--i ITEMS] [--f] [--n] [--b]\nLOCATION address/symbol to patch (by default this command replaces whole instructions)
--i ITEMS number of items to insert (default 1)
--f Force patch even when the selected settings could overwrite partial instructions
--n Instead of replacing whole instructions, insert ITEMS nop instructions, no matter how many instructions it overwrites
--b Instead of replacing whole instructions, fill ITEMS bytes with nops
nop the current instruction ($pc):
gef\u27a4 nop\nnop an instruction at $pc+3 address:
gef\u27a4 nop $pc+3\nnop two instructions at address $pc+3:
gef\u27a4 nop --i 2 $pc+3\nReplace 1 byte with nop at current instruction ($pc):
gef\u27a4 nop --b\nReplace 1 byte with nop at address $pc+3:
gef\u27a4 nop --b $pc+3\nReplace 2 bytes with nop(s) (breaking the last instruction) at address $pc+3:
gef\u27a4 nop --f --b --i 2 $pc+3\nPatch 2 nops at address $pc+3:
gef\u27a4 nop --n --i 2 $pc+3\npatch","text":"patch lets you easily patch the specified values to the specified address.
gef\u27a4 patch byte $eip 0x90\ngef\u27a4 patch string $eip \"cool!\"\nThese commands copy the first 10 bytes of $rsp+8 to $rip:
gef\u27a4 print-format --lang bytearray -l 10 $rsp+8\nSaved data b'\\xcb\\xe3\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00'... in '$_gef0'\ngef\u27a4 patch byte $rip $_gef0\nVery handy to copy-paste-execute shellcodes/data from different memory regions.
"},{"location":"commands/pattern/","title":"pattern","text":""},{"location":"commands/pattern/#command-pattern","title":"Commandpattern","text":"This command will create or search a De Bruijn cyclic pattern to facilitate determining offsets in memory. The sequence consists of a number of unique substrings of a chosen length.
It should be noted that for better compatibility, the algorithm implemented in GEF is the same as the one in pwntools, and can therefore be used in conjunction.
pattern create","text":"pattern create [-h] [-n N] [length]\nThe sub-command create allows one create a new De Bruijn sequence. The optional argument n determines the length of unique subsequences. Its default value matches the currently loaded architecture. The length argument sets the total length of the whole sequence.
gef\u27a4 pattern create -n 4 128\n[+] Generating a pattern of 128 bytes (n=4)\naaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaab\n[+] Saved as '$_gef0'\nThe equivalent command with pwntools is
from pwn import *\np = cyclic(128, n=8)\npattern search","text":"pattern search [-h] [-n N] [--max-length MAX_LENGTH] [pattern]\nThe search sub-command seeks the pattern given as argument, trying to find its offset in the De Bruijn sequence. The optional argument n determines the length of unique subsequences, and it should usually match the length of pattern. Using MAX_LENGTH the maximum length of the sequence to search in can be adjusted.
Note that the pattern can be passed as a GDB symbol (such as a register name), a string or a hexadecimal value
gef\u27a4 pattern search 0x6161616161616167\n[+] Searching '0x6161616161616167'\n[+] Found at offset 48 (little-endian search) likely\n[+] Found at offset 41 (big-endian search)\ngef\u27a4 pattern search $rbp\n[+] Searching '$rbp'\n[+] Found at offset 32 (little-endian search) likely\n[+] Found at offset 25 (big-endian search)\ngef\u27a4 pattern search aaaaaaac\n[+] Searching for 'aaaaaaac'\n[+] Found at offset 16 (little-endian search) likely\n[+] Found at offset 9 (big-endian search)\npcustom","text":"gef provides a way to create and apply to the currently debugged environment, any new structure (in the C-struct way). On top of simply displaying known and user-defined structures, it also allows to apply those structures to the current context. It intends to mimic the very useful WinDBG dt command.
This is achieved via the command pcustom (for print custom), or you can use its alias, dt (in reference to the WinDBG command) as provided by the WinDbg compatibility extension
New structures can be stored in the location given by the configuration setting:
gef\u27a4 gef config pcustom.struct_path\nBy default, this location is in $TEMP/gef/structs (e.g. /tmp/user/1000/gef/structs). The structure can be created as a simple ctypes structure, in a file called <struct_name>.py.
You can naturally set this path to a new location
gef\u27a4 gef config pcustom.struct_path /my/new/location\nAnd save this change so you can re-use it directly next time you use gdb
gef\u27a4 gef save\n[+] Configuration saved to '~/.gef.rc'\nYou can list existing custom structures via
gef\u27a4 pcustom list\n[+] Listing custom structures from '/tmp/structs'\n \u2192 /tmp/structs/A.py (A, B)\n \u2192 /tmp/structs/elf32_t.py (elf32_t)\n \u2192 /tmp/structs/elf64_t.py (elf64_t)\n[...]\nTo create or edit a structure, use pcustom edit <struct_name> to spawn your EDITOR with the targeted structure. If the file does not exist, gef will nicely create the tree and file, and fill it with a ctypes template that you can use straight away!
gef\u27a4 pcustom new mystruct_t\n[+] Creating '/tmp/gef/structs/mystruct_t.py' from template\nIf the structure already exists, GEF will open the text editor to edit the known structure. This is equivalent to:
gef\u27a4 pcustom edit elf32_t\n[+] Editing '/home/hugsy/code/gef-extras/structs/elf32_t.py'\nctypes.Structure-like classes","text":"The code can be defined just as any Python (using ctypes) code.
from ctypes import *\n\n'''\ntypedef struct {\n int age;\n char name[256];\n int id;\n} person_t;\n'''\n\nclass person_t(Structure):\n _fields_ = [\n (\"age\", c_int),\n (\"name\", c_char * 256),\n (\"id\", c_int),\n ]\n\n _values_ = [\n # You can define a function to substitute the value\n (\"age\", lambda age: \"Old\" if age > 40 else \"Young\"),\n # Or alternatively a list of 2-tuples\n (\"id\", [\n (0, \"root\"),\n (1, \"normal user\"),\n (None, \"Invalid person\")\n ])\n ]\npcustom requires at least one argument, which is the name of the structure. With only one argument, pcustom will dump all the fields of this structure.
gef\u27a4 dt person_t\n+0000 age c_int /* size=0x4 */\n+0004 name c_char_Array_256 /* size=0x100 */\n+0104 id c_int /* size=0x4 */\nBy providing an address or a GDB symbol, gef will apply this user-defined structure to the specified address:
This means that we can now create very easily new user-defined structures
For a full demo, watch the following tutorial:
Additionally, if you have successfully configured your IDA settings, you can also directly import the structure(s) that was(were) reverse-engineered in IDA directly in your GDB session: - (see gef-extras/ida-rpyc, which is the new improved version of ida-interact)
ctypes.Structure-like classes","text":"pcustom also supports the use of class factories to create a ctypes.Structure class whose structure will be adjusted based on the runtime information we provide (information about the currently debugged binary, the architecture, the size of a pointer and more).
The syntax is relatively close to the way we use to create static classes (see above), but instead we define a function that will generate the class. The requirements for this class factory are: - take a single Gef positional argument - End the function name with _t
To continue the person_t function we defined in the example above, we could modify the static class as a dynamic one very easily:
import ctypes\nfrom typing import Optional\n\ndef person_t(gef: Optional[\"Gef\"]=None):\n fields = [\n (\"age\", ctypes.c_int),\n (\"name\", ctypes.c_char * 256),\n (\"id\", ctypes.c_int),\n ]\n\n class person_cls(ctypes.Structure):\n _fields_ = fields\n\n return person_cls\nThanks to the gef parameter, the structure can be transparently adjusted so that GEF will parse it differently with its runtime information. For example, we can add constraints to the example above:
import ctypes\nfrom typing import Optional\n\ndef person_t(gef: Optional[\"Gef\"]==None):\n fields = [\n (\"age\", ctypes.c_uint8),\n (\"name\", ctypes.c_char * 256),\n (\"id\", ctypes.c_uint8),\n ]\n\n # constraint on the libc version\n if gef.libc.version > (2, 27):\n # or on the pointer size\n pointer_type = ctypes.c_uint64 if gef.arch.ptrsize == 8 else ctypes.c_uint32\n fields += [\n (\"new_field\", pointer_size)\n ]\n\n class person_cls(ctypes.Structure):\n _fields_ = fields\n\n return person_cls\nA community contributed repository of structures can be found in gef-extras. To deploy it:
In bash:
$ git clone https://github.com/hugsy/gef-extras\nIn GEF:
gef\u27a4 gef config pcustom.struct_path /path/to/gef-extras/structs\ngef\u27a4 gef save\nThen either close GDB or gef reload. You can confirm the structures were correctly loaded in GEF's prompt:
gef\u27a4 pcustom list\nShould return several entries.
And remember this is collaborative repository, so feel free to contribute too!
"},{"location":"commands/pie/","title":"pie","text":""},{"location":"commands/pie/#command-pie","title":"Commandpie","text":"The pie command is handy when working with position-independent executables. At runtime, it can automatically resolve addresses for breakpoints that are not static.
Note that you need to use the entire pie command series to support PIE breakpoints, especially the \"pie run commands\", like pie attach, pie run, etc.
pie breakpoint command","text":"This command sets a new PIE breakpoint. It can be used like the normal breakpoint command in gdb. The argument for the command is the offset from the base address or a symbol. The breakpoints will not be set immediately after this command. Instead, it will be set when you use pie attach, pie run or pie remote to actually attach to a process, so it can resolve the right base address.
Usage:
gef\u27a4 pie breakpoint OFFSET\npie info command","text":"Since a PIE breakpoint is not a real breakpoint, this command provides a way to observe the state of all PIE breakpoints.
This works just like info breakpoint in gdb.
gef\u27a4 pie info\nVNum Num Addr\n1 N/A 0xdeadbeef\nVNum stands for virtual number and is used to enumerate the PIE breakpoints. Num is the number of the associated real breakpoints at runtime in GDB.
You can omit the VNum argument to get info on all PIE breakpoints.
Usage:
gef\u27a4 pie info [VNum]\n\npie delete command","text":"This command deletes a PIE breakpoint given its VNum.
Usage:
gef\u27a4 pie delete [VNum]\npie attach command","text":"This command behaves like GDB's attach command. Always use this command instead of attach if you have PIE breakpoints. This will convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as attach.
pie remote command","text":"This command behaves like GDB's remote command. Always use this command instead of remote if you have PIE breakpoints. Behind the scenes this will connect to the remote target using gef remote and then convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as remote.
pie run command","text":"This command behaves like GDB's run command. Always use this command instead of run if you have PIE breakpoints. This will convert the PIE breakpoints to real breakpoints at runtime.
The usage is just the same as run.
print-format","text":"The command print-format (alias pf) will dump an arbitrary location as an array of bytes following the format specified. Currently, the output formats supported are
py - default)c)asm)js)hex)bytearray)gef\u27a4 print-format -h\n[+] print-format [--lang LANG] [--bitlen SIZE] [(--length,-l) LENGTH] [--clip] LOCATION\n --lang LANG specifies the output format for programming language (available: ['py', 'c', 'js', 'asm', 'hex'], default 'py').\n --bitlen SIZE specifies size of bit (possible values: [8, 16, 32, 64], default is 8).\n --length LENGTH specifies length of array (default is 256).\n --clip The output data will be copied to clipboard\n LOCATION specifies where the address of bytes is stored.\nFor example this command will dump 10 bytes from $rsp and copy the result to the clipboard.
gef\u27a4 print-format --lang py --bitlen 8 -l 10 --clip $rsp\n[+] Copied to clipboard\nbuf = [0x87, 0xfa, 0xa3, 0xf7, 0xff, 0x7f, 0x0, 0x0, 0x30, 0xe6]\nThese commands copy the first 10 bytes of $rsp+8 to $rip:
gef\u27a4 print-format --lang bytearray -l 10 $rsp+8\nSaved data b'\\xcb\\xe3\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00'... in '$_gef0'\ngef\u27a4 display/x $_gef0[5]\n4: /x $_gef0[5] = 0x7f\ngef\u27a4 patch byte $rip $_gef0\nVery handy to copy-paste-execute shellcodes/data from different memory regions.
"},{"location":"commands/process-search/","title":"process-search","text":""},{"location":"commands/process-search/#command-process-search","title":"Commandprocess-search","text":"process-search (aka ps) is a convenience command to list and filter process on the host. It is aimed at making the debugging process a little easier when targeting forking process (such as tcp/listening daemon that would fork upon accept()).
Without argument, it will return all processes reachable by user:
gef\u27a4 ps\n1 root 0.0 0.4 ? /sbin/init\n2 root 0.0 0.0 ? [kthreadd]\n3 root 0.0 0.0 ? [ksoftirqd/0]\n4 root 0.0 0.0 ? [kworker/0:0]\n5 root 0.0 0.0 ? [kworker/0:0H]\n6 root 0.0 0.0 ? [kworker/u2:0]\n7 root 0.0 0.0 ? [rcu_sched]\n8 root 0.0 0.0 ? [rcuos/0]\n9 root 0.0 0.0 ? [rcu_bh]\n10 root 0.0 0.0 ? [rcuob/0]\n11 root 0.0 0.0 ? [migration/0]\n[...]\nOr to filter with pattern:
gef\u27a4 ps bash\n22590 vagrant 0.0 0.8 pts/0 -bash\nNote: Use \"\\\" for escaping and \"\\\\\" for a literal backslash\" in the pattern.
ps also accepts options:
--smart-scan will filter out probably less relevant processes (belonging to different users, pattern matched to arguments instead of the commands themselves, etc.)--attach will automatically attach to the first process foundSo, for example, if your targeted process is called /home/foobar/plop, but the existing instance is used through socat, like
$ socat tcp-l:1234,fork,reuseaddr exec:/home/foobar/plop\nThen every time a new connection is opened to tcp/1234, plop will be forked, and GEF can easily attach to it with the command
gef\u27a4 ps --attach --smart-scan plop\nprocess-status","text":"This command replaces the old commands pid and fd.
process-status provides an exhaustive description of the current running process, by extending the information provided by GDB info proc command, with all the information from the procfs structure.
gef\u27a4 ps --smart-scan zsh\n22879\ngef\u27a4 attach 22879\n[...]\ngef\u27a4 status\n[+] Process Information\n PID \u2192 22879\n Executable \u2192 /bin/zsh\n Command line \u2192 '-zsh'\n[+] Parent Process Information\n Parent PID \u2192 4475\n Command line \u2192 'tmux new -s cool vibe\n[+] Children Process Information\n PID \u2192 26190 (Name: '/bin/sleep', CmdLine: 'sleep 100000')\n[+] File Descriptors:\n /proc/22879/fd/0 \u2192 /dev/pts/4\n /proc/22879/fd/1 \u2192 /dev/pts/4\n /proc/22879/fd/2 \u2192 /dev/pts/4\n /proc/22879/fd/10 \u2192 /dev/pts/4\n[+] File Descriptors:\n No TCP connections\nregisters","text":"The registers command will print all the registers and dereference any pointers.
Example on a MIPS host:
gef\u27a4 reg\n$zero : 0x00000000\n$at : 0x00000001\n$v0 : 0x7fff6cd8 -> 0x77e5e7f8 -> <__libc_start_main+200>: bnez v0,0x77e5e8a8\n$v1 : 0x77ff4490\n$a0 : 0x00000001\n$a1 : 0x7fff6d94 -> 0x7fff6e85 -> \"/root/demo-mips\"\n$a2 : 0x7fff6d9c -> 0x7fff6e91 -> \"SHELL=/bin/bash\"\n$a3 : 0x00000000\n$t0 : 0x77fc26a0 -> 0x0\n$t1 : 0x77fc26a0 -> 0x0\n$t2 : 0x77fe5000 -> \"_dl_fini\"\n$t3 : 0x77fe5000 -> \"_dl_fini\"\n$t4 : 0xf0000000\n$t5 : 0x00000070\n$t6 : 0x00000020\n$t7 : 0x7fff6bc8 -> 0x0\n$s0 : 0x00000000\n$s1 : 0x00000000\n$s2 : 0x00000000\n$s3 : 0x00500000\n$s4 : 0x00522f48\n$s5 : 0x00522608\n$s6 : 0x00000000\n$s7 : 0x00000000\n$t8 : 0x0000000b\n$t9 : 0x004008b0 -> <main>: addiu sp,sp,-32\n$k0 : 0x00000000\n$k1 : 0x00000000\n$s8 : 0x00000000\n$status : 0x0000a413\n$badvaddr : 0x77e7a874 -> <__cxa_atexit>: lui gp,0x15\n$cause : 0x10800024\n$pc : 0x004008c4 -> <main+20>: li v0,2\n$sp : 0x7fff6ca0 -> 0x77e4a834 -> 0x29bd\n$hi : 0x000001a5\n$lo : 0x00005e17\n$fir : 0x00739300\n$fcsr : 0x00000000\n$ra : 0x77e5e834 -> <__libc_start_main+260>: lw gp,16(sp)\n$gp : 0x00418b20\nIf one or more register names are passed to the registers command as optional arguments, then only those will be shown:
gef\u27a4 reg $rax $rip $rsp\n$rax : 0x0000555555555169 \u2192 <main+0> endbr64\n$rsp : 0x00007fffffffe3e8 \u2192 0x00007ffff7df40b3 \u2192 <__libc_start_main+243> mov edi, eax\n$rip : 0x0000555555555169 \u2192 <main+0> endbr64\nreset-cache","text":"This command is only useful for debugging GEF itself.
scan","text":"scan searches for addresses of one memory region (needle) inside another region (haystack) and lists all results.
Usage:
gef\u27a4 scan NEEDLE HAYSTACK\nscan requires two arguments, the first is the memory section that will be searched and the second is what will be searched for. The arguments are grepped against the process's memory mappings (just like vmmap) to determine the memory ranges to search.
gef\u27a4 scan stack libc\n[+] Searching for addresses in 'stack' that point to 'libc'\n[stack]: 0x00007fffffffd6a8\u2502+0x1f6a8: 0x00007ffff77cf482 \u2192 \"__tunable_get_val\"\n[stack]: 0x00007fffffffd6b0\u2502+0x1f6b0: 0x00007ffff77bff78 \u2192 0x0000001200001ab2\n[stack]: 0x00007fffffffd758\u2502+0x1f758: 0x00007ffff77cd9d0 \u2192 0x6c5f755f72647800\n[stack]: 0x00007fffffffd778\u2502+0x1f778: 0x00007ffff77bda6c \u2192 0x0000090900000907\n[stack]: 0x00007fffffffd7d8\u2502+0x1f7d8: 0x00007ffff77cd9d0 \u2192 0x6c5f755f72647800\n[...]\nTo check mappings without a path associated, an address range (start-end) can be used. Note that ranges don't include whitespaces.
"},{"location":"commands/search-pattern/","title":"search-pattern","text":""},{"location":"commands/search-pattern/#command-search-pattern","title":"Commandsearch-pattern","text":"gef allows you to search for a specific pattern at runtime in all the segments of your process memory layout. The command search-pattern, alias grep, aims to be straight-forward to use:
gef\u27a4 search-pattern MyPattern\nIt will provide an easily understandable to spot occurrences of the specified pattern, including the section it/they was/were found, and the permission associated to that section.
search-pattern can also be used to search for addresses. To do so, simply ensure that your pattern starts with 0x and is a valid hex address. For example:
gef\u27a4 search-pattern 0x4005f6\nThe search-pattern command can also be used as a way to search for cross-references to an address. For this reason, the alias xref also points to the command search-pattern. Therefore the command above is equivalent to xref 0x4005f6 which makes it more intuitive to use.
Sometimes, you may need to search for a very common pattern. To limit the search space, you can also specify an address range or the section to be checked.
gef\u27a4 search-pattern 0x4005f6 little libc\ngef\u27a4 search-pattern 0x4005f6 little 0x603100-0x603200\nSometimes, you may need an advanced search using regex. Just use --regex arg.
Example: how to find null-end-printable(from x20-x7e) C strings (min size >=2 bytes) with a regex:
gef\u27a4 search-pattern --regex 0x401000 0x401500 ([\\\\x20-\\\\x7E]{2,})(?=\\\\x00)\n\nshellcode","text":"shellcode is a command line client for @JonathanSalwan shellcodes database. It can be used to search and download directly via GEF the shellcode you're looking for. Two primitive subcommands are available, search and get
gef\u27a4 shellcode search arm\n[+] Showing matching shellcodes\n901 Linux/ARM Add map in /etc/hosts file - 79 bytes\n853 Linux/ARM chmod(\"/etc/passwd\", 0777) - 39 bytes\n854 Linux/ARM creat(\"/root/pwned\", 0777) - 39 bytes\n855 Linux/ARM execve(\"/bin/sh\", [], [0 vars]) - 35 bytes\n729 Linux/ARM Bind Connect UDP Port 68\n730 Linux/ARM Bindshell port 0x1337\n[...]\ngef\u27a4 shellcode get 698\n[+] Downloading shellcode id=698\n[+] Shellcode written as '/tmp/sc-EfcWtM.txt'\ngef\u27a4 system cat /tmp/sc-EfcWtM.txt\n/*\nTitle: Linux/ARM - execve(\"/bin/sh\", [0], [0 vars]) - 27 bytes\nDate: 2010-09-05\nTested on: ARM926EJ-S rev 5 (v5l)\nAuthor: Jonathan Salwan - twitter: @jonathansalwan\n\nshell-storm.org\n\nShellcode ARM without 0x20, 0x0a and 0x00\n[...]\nskipi","text":"The skipi command allows you to easily skip instructions execution.
skipi [LOCATION] [--n NUM_INSTRUCTIONS]\nLOCATION address/symbol from where to skip (default is $pc)
--n NUM_INSTRUCTIONS Skip the specified number of instructions instead of the default 1.
gef\u27a4 skipi\ngef\u27a4 skipi --n 3\ngef\u27a4 skipi 0x69696969\ngef\u27a4 skipi 0x69696969 --n 6\nstub","text":"The stub command allows you stub out functions, optionally specifying the return value.
gef\u27a4 stub [-h] [--retval RETVAL] [address]\naddress indicates the address of the function to bypass. If not specified, GEF will consider the instruction at the program counter to be the start of the function.
If --retval RETVAL is provided, GEF will set the return value to the provided value. Otherwise, it will set the return value to 0.
For example, it is trivial to bypass fork() calls. Since the return value is set to 0, it will in fact drop us into the \"child\" process. It must be noted that this is a different behaviour from the classic set follow-fork-mode child since here we do not spawn a new process, we only trick the parent process into thinking it has become the child.
Patching fork() calls:
theme","text":"Customize GEF by changing its color scheme.
gef\u27a4 theme\ncontext_title_message : red bold\ndefault_title_message : red bold\ndefault_title_line : green bold\ncontext_title_line : green bold\ndisable_color : 0\nxinfo_title_message : blue bold\nYou have the possibility to change the coloring properties of GEF display with the theme command. The command accepts 2 arguments, the name of the property to update, and its new coloring value.
Colors can be one of the following:
Color also accepts the following attributes:
Any other will value simply be ignored.
gef\u27a4 theme context_title_message blue bold foobar\ngef\u27a4 theme\ncontext_title_message : blue bold\ndefault_title_message : red bold\ndefault_title_line : green bold\ncontext_title_line : green bold\ndisable_color : 0\nxinfo_title_message : blue bold\ntmux-setup","text":"In the purpose of always making debugging sessions easier while being more effective, GEF integrates two commands:
tmux-setupscreen-setupThose commands will check whether GDB is being spawn from inside a tmux (resp. screen) session, and if so, will split the pane vertically, and configure the context to be redirected to the new pane, looking something like:
To set it up, simply enter
gef\u27a4 tmux-setup\nNote: Although screen-setup provides a similar setup, the structure of screen does not allow a very clean way to do this. Therefore, if possible, it would be recommended to use the tmux-setup command instead.
On Linux tmux only supports 8 colors with some terminal capabilities ($TERM environment variable). This can mess up your color themes when using GEF with tmux. To remedy this if your terminal supports more colors you can either set the variable to something like TERM=screen-256color or if you don't want or can't change that variable you can start tmux with the -2 flag to force tmux to use 256 colors.
trace-run","text":"The trace-run command is meant to be provide a visual appreciation directly in IDA disassembler of the path taken by a specific execution. It should be used with the IDA script ida_color_gdb_trace.py
It will trace and store all values taken by $pc during the execution flow, from its current value, until the value provided as argument.
gef> trace-run <address_of_last_instruction_to_trace>\nBy using the script ida_color_gdb_trace.py on the text file generated, it will color the path taken:
version","text":"Print out version information about your current gdb environment.
"},{"location":"commands/version/#usage-examples","title":"Usage Examples","text":"When GEF is located in a directory tracked with git:
gef\u27a4 version\nGEF: rev:48a9fd74dd39db524fb395e7db528f85cc49d081 (Git - clean)\nSHA1(/gef/rules/gef.py): 848cdc87ba7c3e99e8129ad820c9fcc0973b1e99\nGDB: 9.2\nGDB-Python: 3.8\nOtherwise the command shows the standalone information:
gef\u27a4 version\nGEF: (Standalone)\nBlob Hash(/gef/rules/gef.py): f0aef0f481e8157006b26690bd121585d3befee0\nSHA1(/gef/rules/gef.py): 4b26a1175abcd8314d4816f97fdf908b3837c779\nGDB: 9.2\nGDB-Python: 3.8\nThe Blob Hash can be used to easily find the git commit(s) matching this file revision.
git log --oneline --find-object <BLOB_HASH>\nIf this command does not return anything then the file was most likely modified and cannot be matched to a specific git commit.
"},{"location":"commands/vmmap/","title":"vmmap","text":""},{"location":"commands/vmmap/#command-vmmap","title":"Commandvmmap","text":"vmmap displays the target process's entire memory space mapping.
Interestingly, it helps finding secret gems: as an aware reader might have seen, memory mapping differs from one architecture to another (this is one of the main reasons I started GEF in a first place). For example, you can learn that ELF running on SPARC architectures always have their .data and heap sections set as Read/Write/Execute.
vmmap accepts one argument, either a pattern to match again mapping names, or an address to determine which section it belongs to.
xfiles","text":"xfiles is a more convenient representation of the GDB native command, info files allowing you to filter by pattern given in argument. For example, if you only want to show the code sections (i.e. .text):
xinfo","text":"xinfo displays all the information known to gef about the specific address given as argument:
Important note : For performance reasons, gef caches certain results. gef will try to automatically refresh its own cache to avoid relying on obsolete information of the debugged process. However, in some dodgy scenario, gef might fail detecting some new events making its cache partially obsolete. If you notice an inconsistency on your memory mapping, you might want to force gef flushing its cache and fetching brand new data, by running the command reset-cache.
xor-memory","text":"This command is used to XOR a block of memory.
Its syntax is:
xor-memory <display|patch> <address> <size_to_read> <xor_key>\nThe first argument (display or patch) is the action to perform:
display will only show an hexdump of the result of the XOR-ed memory block, without writing the debuggee's memory.
gef\u27a4 xor display $rsp 16 1337\n[+] Displaying XOR-ing 0x7fff589b67f8-0x7fff589b6808 with '1337'\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ Original block ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n0x00007fff589b67f8 46 4e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 FN@.............\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ XOR-ed block ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n0x00007fff589b67f8 55 79 53 37 13 37 13 37 13 37 13 37 13 37 13 37 UyS7.7.7.7.7.7.7\npatch will overwrite the memory with the xor-ed content.
gef\u27a4 xor patch $rsp 16 1337\n[+] Patching XOR-ing 0x7fff589b67f8-0x7fff589b6808 with '1337'\ngef\u27a4 hexdump byte $rsp 16\n0x00007fff589b67f8 55 79 53 37 13 37 13 37 13 37 UyS7.7.7.7\n$_base()","text":"Return the matching file's base address plus an optional offset. Defaults to current file. Note that quotes need to be escaped.
Note: a debugging session must be active
$_base([filepath])\nExample:
gef\u27a4 p $_base(\\\"/usr/lib/ld-2.33.so\\\")\n$_bss()","text":"Return the current BSS base address plus the given offset.
Note: a debugging session must be active
$_bss([offset])\nExample:
gef\u27a4 p $_bss(0x20)\n$_got()","text":"Return the current GOT base address plus the given offset.
Note: a debugging session must be active
$_got([offset])\nExample:
gef\u27a4 p $_got(0x20)\n$_heap()","text":"Return the current heap base address plus the given offset.
Note: a debugging session must be active
$_heap([offset])\nExample:
gef\u27a4 p $_heap(0x20)\n$_stack()","text":"Return the current stack base address plus the given offset.
Note: a debugging session must be active
$_stack([offset])\nExample:
gef\u27a4 p $_stack(0x20)\ncontext","text":""},{"location":"settings/context/#enable","title":"enable","text":"Name context.enable
Type bool
DefaultValue: True
Description Enable/disable printing the context when breaking
"},{"location":"settings/context/#show_source_code_variable_values","title":"show_source_code_variable_values","text":"Name context.show_source_code_variable_values
Type bool
DefaultValue: True
Description Show extra PC context info in the source code
"},{"location":"settings/context/#show_stack_raw","title":"show_stack_raw","text":"Name context.show_stack_raw
Type bool
DefaultValue: False
Description Show the stack pane as raw hexdump (no dereference)
"},{"location":"settings/context/#show_registers_raw","title":"show_registers_raw","text":"Name context.show_registers_raw
Type bool
DefaultValue: False
Description Show the registers pane with raw values (no dereference)
"},{"location":"settings/context/#show_opcodes_size","title":"show_opcodes_size","text":"Name context.show_opcodes_size
Type int
DefaultValue: 0
Description Number of bytes of opcodes to display next to the disassembly
"},{"location":"settings/context/#peek_calls","title":"peek_calls","text":"Name context.peek_calls
Type bool
DefaultValue: True
Description Peek into calls
"},{"location":"settings/context/#peek_ret","title":"peek_ret","text":"Name context.peek_ret
Type bool
DefaultValue: True
Description Peek at return address
"},{"location":"settings/context/#nb_lines_stack","title":"nb_lines_stack","text":"Name context.nb_lines_stack
Type int
DefaultValue: 8
Description Number of line in the stack pane
"},{"location":"settings/context/#grow_stack_down","title":"grow_stack_down","text":"Name context.grow_stack_down
Type bool
DefaultValue: False
Description Order of stack downward starts at largest down to stack pointer
"},{"location":"settings/context/#nb_lines_backtrace","title":"nb_lines_backtrace","text":"Name context.nb_lines_backtrace
Type int
DefaultValue: 10
Description Number of line in the backtrace pane
"},{"location":"settings/context/#nb_lines_backtrace_before","title":"nb_lines_backtrace_before","text":"Name context.nb_lines_backtrace_before
Type int
DefaultValue: 2
Description Number of line in the backtrace pane before selected frame
"},{"location":"settings/context/#nb_lines_threads","title":"nb_lines_threads","text":"Name context.nb_lines_threads
Type int
DefaultValue: -1
Description Number of line in the threads pane
"},{"location":"settings/context/#nb_lines_code","title":"nb_lines_code","text":"Name context.nb_lines_code
Type int
DefaultValue: 6
Description Number of instruction after $pc
"},{"location":"settings/context/#nb_lines_code_prev","title":"nb_lines_code_prev","text":"Name context.nb_lines_code_prev
Type int
DefaultValue: 3
Description Number of instruction before $pc
"},{"location":"settings/context/#ignore_registers","title":"ignore_registers","text":"Name context.ignore_registers
Type str
DefaultValue: ``
Description Space-separated list of registers not to display (e.g. '$cs $ds $gs')
"},{"location":"settings/context/#clear_screen","title":"clear_screen","text":"Name context.clear_screen
Type bool
DefaultValue: True
Description Clear the screen before printing the context
"},{"location":"settings/context/#layout","title":"layout","text":"Name context.layout
Type str
DefaultValue: legend regs stack code args source memory threads trace extra
Description Change the order/presence of the context sections
"},{"location":"settings/context/#redirect","title":"redirect","text":"Name context.redirect
Type str
DefaultValue: ``
Description Redirect the context information to another TTY
"},{"location":"settings/context/#libc_args","title":"libc_args","text":"Name context.libc_args
Type bool
DefaultValue: False
Description [DEPRECATED - Unused] Show libc function call args description
"},{"location":"settings/context/#libc_args_path","title":"libc_args_path","text":"Name context.libc_args_path
Type str
DefaultValue: ``
Description [DEPRECATED - Unused] Path to libc function call args json files, provided via gef-extras
"},{"location":"settings/dereference/","title":"Settings for commanddereference","text":""},{"location":"settings/dereference/#max_recursion","title":"max_recursion","text":"Name dereference.max_recursion
Type int
DefaultValue: 7
Description Maximum level of pointer recursion
"},{"location":"settings/entry-break/","title":"Settings for commandentry-break","text":""},{"location":"settings/entry-break/#entrypoint_symbols","title":"entrypoint_symbols","text":"Name entry-break.entrypoint_symbols
Type str
DefaultValue: main _main __libc_start_main __uClibc_main start _start
Description Possible symbols for entry points
"},{"location":"settings/gef/","title":"Settings for commandgef","text":""},{"location":"settings/gef/#follow_child","title":"follow_child","text":"Name gef.follow_child
Type bool
DefaultValue: True
Description Automatically set GDB to follow child when forking
"},{"location":"settings/gef/#readline_compat","title":"readline_compat","text":"Name gef.readline_compat
Type bool
DefaultValue: False
Description Workaround for readline SOH/ETX issue (SEGV)
"},{"location":"settings/gef/#debug","title":"debug","text":"Name gef.debug
Type bool
DefaultValue: False
Description Enable debug mode for gef
"},{"location":"settings/gef/#autosave_breakpoints_file","title":"autosave_breakpoints_file","text":"Name gef.autosave_breakpoints_file
Type str
DefaultValue: ``
Description Automatically save and restore breakpoints
"},{"location":"settings/gef/#extra_plugins_dir","title":"extra_plugins_dir","text":"Name gef.extra_plugins_dir
Type str
DefaultValue: ``
Description Autoload additional GEF commands from external directory
"},{"location":"settings/gef/#disable_color","title":"disable_color","text":"Name gef.disable_color
Type bool
DefaultValue: True
Description Disable all colors in GEF
"},{"location":"settings/gef/#tempdir","title":"tempdir","text":"Name gef.tempdir
Type str
DefaultValue: /tmp/gef
Description Directory to use for temporary/cache content
"},{"location":"settings/gef/#show_deprecation_warnings","title":"show_deprecation_warnings","text":"Name gef.show_deprecation_warnings
Type bool
DefaultValue: True
Description Toggle the display of the deprecated warnings
buffer","text":"Name gef.buffer
Type bool
DefaultValue: True
Description Internally buffer command output until completion
"},{"location":"settings/gef/#bruteforce_main_arena","title":"bruteforce_main_arena","text":"Name gef.bruteforce_main_arena
Type bool
DefaultValue: False
Description Allow bruteforcing main_arena symbol if everything else fails
"},{"location":"settings/gef/#main_arena_offset","title":"main_arena_offset","text":"Name gef.main_arena_offset
Type str
DefaultValue: ``
Description Offset from libc base address to main_arena symbol (int or hex). Set to empty string to disable.
"},{"location":"settings/got/","title":"Settings for commandgot","text":""},{"location":"settings/got/#function_resolved","title":"function_resolved","text":"Name got.function_resolved
Type str
DefaultValue: green
Description Line color of the got command output for resolved function
"},{"location":"settings/got/#function_not_resolved","title":"function_not_resolved","text":"Name got.function_not_resolved
Type str
DefaultValue: yellow
Description Line color of the got command output for unresolved function
"},{"location":"settings/heap-analysis-helper/","title":"Settings for commandheap-analysis-helper","text":""},{"location":"settings/heap-analysis-helper/#check_free_null","title":"check_free_null","text":"Name heap-analysis-helper.check_free_null
Type bool
DefaultValue: False
Description Break execution when a free(NULL) is encountered
"},{"location":"settings/heap-analysis-helper/#check_double_free","title":"check_double_free","text":"Name heap-analysis-helper.check_double_free
Type bool
DefaultValue: True
Description Break execution when a double free is encountered
"},{"location":"settings/heap-analysis-helper/#check_weird_free","title":"check_weird_free","text":"Name heap-analysis-helper.check_weird_free
Type bool
DefaultValue: True
Description Break execution when free() is called against a non-tracked pointer
"},{"location":"settings/heap-analysis-helper/#check_uaf","title":"check_uaf","text":"Name heap-analysis-helper.check_uaf
Type bool
DefaultValue: True
Description Break execution when a possible Use-after-Free condition is found
"},{"location":"settings/heap-analysis-helper/#check_heap_overlap","title":"check_heap_overlap","text":"Name heap-analysis-helper.check_heap_overlap
Type bool
DefaultValue: True
Description Break execution when a possible overlap in allocation is found
"},{"location":"settings/heap-chunks/","title":"Settings for commandheap-chunks","text":""},{"location":"settings/heap-chunks/#peek_nb_byte","title":"peek_nb_byte","text":"Name heap-chunks.peek_nb_byte
Type int
DefaultValue: 16
Description Hexdump N first byte(s) inside the chunk data (0 to disable)
"},{"location":"settings/hexdump/","title":"Settings for commandhexdump","text":""},{"location":"settings/hexdump/#always_show_ascii","title":"always_show_ascii","text":"Name hexdump.always_show_ascii
Type bool
DefaultValue: False
Description If true, hexdump will always display the ASCII dump
"},{"location":"settings/highlight/","title":"Settings for commandhighlight","text":""},{"location":"settings/highlight/#regex","title":"regex","text":"Name highlight.regex
Type bool
DefaultValue: False
Description Enable regex highlighting
"},{"location":"settings/pattern/","title":"Settings for commandpattern","text":""},{"location":"settings/pattern/#length","title":"length","text":"Name pattern.length
Type int
DefaultValue: 1024
Description Default length of a cyclic buffer to generate
"},{"location":"settings/pcustom/","title":"Settings for commandpcustom","text":""},{"location":"settings/pcustom/#struct_path","title":"struct_path","text":"Name pcustom.struct_path
Type str
DefaultValue: /tmp/gef/structs
Description Path to store/load the structure ctypes files
"},{"location":"settings/pcustom/#max_depth","title":"max_depth","text":"Name pcustom.max_depth
Type int
DefaultValue: 4
Description Maximum level of recursion supported
"},{"location":"settings/pcustom/#structure_name","title":"structure_name","text":"Name pcustom.structure_name
Type str
DefaultValue: bold blue
Description Color of the structure name
"},{"location":"settings/pcustom/#structure_type","title":"structure_type","text":"Name pcustom.structure_type
Type str
DefaultValue: bold red
Description Color of the attribute type
"},{"location":"settings/pcustom/#structure_size","title":"structure_size","text":"Name pcustom.structure_size
Type str
DefaultValue: green
Description Color of the attribute size
"},{"location":"settings/print-format/","title":"Settings for commandprint-format","text":""},{"location":"settings/print-format/#max_size_preview","title":"max_size_preview","text":"Name print-format.max_size_preview
Type int
DefaultValue: 10
Description max size preview of bytes
"},{"location":"settings/process-search/","title":"Settings for commandprocess-search","text":""},{"location":"settings/process-search/#ps_command","title":"ps_command","text":"Name process-search.ps_command
Type str
DefaultValue: /usr/bin/ps auxww
Description ps command to get process information
search-pattern","text":""},{"location":"settings/search-pattern/#max_size_preview","title":"max_size_preview","text":"Name search-pattern.max_size_preview
Type int
DefaultValue: 10
Description max size preview of bytes
"},{"location":"settings/search-pattern/#nr_pages_chunk","title":"nr_pages_chunk","text":"Name search-pattern.nr_pages_chunk
Type int
DefaultValue: 1024
Description number of pages readed for each memory read chunk
"},{"location":"settings/theme/","title":"Settings for commandtheme","text":""},{"location":"settings/theme/#context_title_line","title":"context_title_line","text":"Name theme.context_title_line
Type str
DefaultValue: gray
Description Color of the borders in context window
"},{"location":"settings/theme/#context_title_message","title":"context_title_message","text":"Name theme.context_title_message
Type str
DefaultValue: cyan
Description Color of the title in context window
"},{"location":"settings/theme/#default_title_line","title":"default_title_line","text":"Name theme.default_title_line
Type str
DefaultValue: gray
Description Default color of borders
"},{"location":"settings/theme/#default_title_message","title":"default_title_message","text":"Name theme.default_title_message
Type str
DefaultValue: cyan
Description Default color of title
"},{"location":"settings/theme/#table_heading","title":"table_heading","text":"Name theme.table_heading
Type str
DefaultValue: blue
Description Color of the column headings to tables (e.g. vmmap)
"},{"location":"settings/theme/#old_context","title":"old_context","text":"Name theme.old_context
Type str
DefaultValue: gray
Description Color to use to show things such as code that is not immediately relevant
"},{"location":"settings/theme/#disassemble_current_instruction","title":"disassemble_current_instruction","text":"Name theme.disassemble_current_instruction
Type str
DefaultValue: green
Description Color to use to highlight the current $pc when disassembling
"},{"location":"settings/theme/#dereference_string","title":"dereference_string","text":"Name theme.dereference_string
Type str
DefaultValue: yellow
Description Color of dereferenced string
"},{"location":"settings/theme/#dereference_code","title":"dereference_code","text":"Name theme.dereference_code
Type str
DefaultValue: gray
Description Color of dereferenced code
"},{"location":"settings/theme/#dereference_base_address","title":"dereference_base_address","text":"Name theme.dereference_base_address
Type str
DefaultValue: cyan
Description Color of dereferenced address
"},{"location":"settings/theme/#dereference_register_value","title":"dereference_register_value","text":"Name theme.dereference_register_value
Type str
DefaultValue: bold blue
Description Color of dereferenced register
"},{"location":"settings/theme/#registers_register_name","title":"registers_register_name","text":"Name theme.registers_register_name
Type str
DefaultValue: blue
Description Color of the register name in the register window
"},{"location":"settings/theme/#registers_value_changed","title":"registers_value_changed","text":"Name theme.registers_value_changed
Type str
DefaultValue: bold red
Description Color of the changed register in the register window
"},{"location":"settings/theme/#address_stack","title":"address_stack","text":"Name theme.address_stack
Type str
DefaultValue: pink
Description Color to use when a stack address is found
"},{"location":"settings/theme/#address_heap","title":"address_heap","text":"Name theme.address_heap
Type str
DefaultValue: green
Description Color to use when a heap address is found
"},{"location":"settings/theme/#address_code","title":"address_code","text":"Name theme.address_code
Type str
DefaultValue: red
Description Color to use when a code address is found
"},{"location":"settings/theme/#source_current_line","title":"source_current_line","text":"Name theme.source_current_line
Type str
DefaultValue: green
Description Color to use for the current code line in the source window
"},{"location":"settings/trace-run/","title":"Settings for commandtrace-run","text":""},{"location":"settings/trace-run/#max_tracing_recursion","title":"max_tracing_recursion","text":"Name trace-run.max_tracing_recursion
Type int
DefaultValue: 1
Description Maximum depth of tracing
"},{"location":"settings/trace-run/#tracefile_prefix","title":"tracefile_prefix","text":"Name trace-run.tracefile_prefix
Type str
DefaultValue: ./gef-trace-
Description Specify the tracing output file prefix
"}]} \ No newline at end of file diff --git a/settings/context/index.html b/settings/context/index.html new file mode 100644 index 000000000..b56bceb05 --- /dev/null +++ b/settings/context/index.html @@ -0,0 +1,2130 @@ + + + + + + + + + + + + + + + + + + + + + +contextenableName context.enable
Type bool
DefaultValue: True
Description Enable/disable printing the context when breaking
+show_source_code_variable_valuesName context.show_source_code_variable_values
Type bool
DefaultValue: True
Description Show extra PC context info in the source code
+show_stack_rawName context.show_stack_raw
Type bool
DefaultValue: False
Description Show the stack pane as raw hexdump (no dereference)
+show_registers_rawName context.show_registers_raw
Type bool
DefaultValue: False
Description Show the registers pane with raw values (no dereference)
+show_opcodes_sizeName context.show_opcodes_size
Type int
DefaultValue: 0
Description Number of bytes of opcodes to display next to the disassembly
+peek_callsName context.peek_calls
Type bool
DefaultValue: True
Description Peek into calls
+peek_retName context.peek_ret
Type bool
DefaultValue: True
Description Peek at return address
+nb_lines_stackName context.nb_lines_stack
Type int
DefaultValue: 8
Description Number of line in the stack pane
+grow_stack_downName context.grow_stack_down
Type bool
DefaultValue: False
Description Order of stack downward starts at largest down to stack pointer
+nb_lines_backtraceName context.nb_lines_backtrace
Type int
DefaultValue: 10
Description Number of line in the backtrace pane
+nb_lines_backtrace_beforeName context.nb_lines_backtrace_before
Type int
DefaultValue: 2
Description Number of line in the backtrace pane before selected frame
+nb_lines_threadsName context.nb_lines_threads
Type int
DefaultValue: -1
Description Number of line in the threads pane
+nb_lines_codeName context.nb_lines_code
Type int
DefaultValue: 6
Description Number of instruction after $pc
+nb_lines_code_prevName context.nb_lines_code_prev
Type int
DefaultValue: 3
Description Number of instruction before $pc
+ignore_registersName context.ignore_registers
Type str
DefaultValue: ``
+Description Space-separated list of registers not to display (e.g. '$cs $ds $gs')
+clear_screenName context.clear_screen
Type bool
DefaultValue: True
Description Clear the screen before printing the context
+layoutName context.layout
Type str
DefaultValue: legend regs stack code args source memory threads trace extra
Description Change the order/presence of the context sections
+redirectName context.redirect
Type str
DefaultValue: ``
+Description Redirect the context information to another TTY
+libc_argsName context.libc_args
Type bool
DefaultValue: False
Description [DEPRECATED - Unused] Show libc function call args description
+libc_args_pathName context.libc_args_path
Type str
DefaultValue: ``
+Description [DEPRECATED - Unused] Path to libc function call args json files, provided via gef-extras
+ + + + + + +dereferencemax_recursionName dereference.max_recursion
Type int
DefaultValue: 7
Description Maximum level of pointer recursion
+ + + + + + +entry-breakentrypoint_symbolsName entry-break.entrypoint_symbols
Type str
DefaultValue: main _main __libc_start_main __uClibc_main start _start
Description Possible symbols for entry points
+ + + + + + +geffollow_childName gef.follow_child
Type bool
DefaultValue: True
Description Automatically set GDB to follow child when forking
+readline_compatName gef.readline_compat
Type bool
DefaultValue: False
Description Workaround for readline SOH/ETX issue (SEGV)
+debugName gef.debug
Type bool
DefaultValue: False
Description Enable debug mode for gef
+autosave_breakpoints_fileName gef.autosave_breakpoints_file
Type str
DefaultValue: ``
+Description Automatically save and restore breakpoints
+extra_plugins_dirName gef.extra_plugins_dir
Type str
DefaultValue: ``
+Description Autoload additional GEF commands from external directory
+disable_colorName gef.disable_color
Type bool
DefaultValue: True
Description Disable all colors in GEF
+tempdirName gef.tempdir
Type str
DefaultValue: /tmp/gef
Description Directory to use for temporary/cache content
+show_deprecation_warningsName gef.show_deprecation_warnings
Type bool
DefaultValue: True
Description Toggle the display of the deprecated warnings
bufferName gef.buffer
Type bool
DefaultValue: True
Description Internally buffer command output until completion
+bruteforce_main_arenaName gef.bruteforce_main_arena
Type bool
DefaultValue: False
Description Allow bruteforcing main_arena symbol if everything else fails
+main_arena_offsetName gef.main_arena_offset
Type str
DefaultValue: ``
+Description Offset from libc base address to main_arena symbol (int or hex). Set to empty string to disable.
+ + + + + + +gotfunction_resolvedName got.function_resolved
Type str
DefaultValue: green
Description Line color of the got command output for resolved function
+function_not_resolvedName got.function_not_resolved
Type str
DefaultValue: yellow
Description Line color of the got command output for unresolved function
+ + + + + + +heap-analysis-helpercheck_free_nullName heap-analysis-helper.check_free_null
Type bool
DefaultValue: False
Description Break execution when a free(NULL) is encountered
+check_double_freeName heap-analysis-helper.check_double_free
Type bool
DefaultValue: True
Description Break execution when a double free is encountered
+check_weird_freeName heap-analysis-helper.check_weird_free
Type bool
DefaultValue: True
Description Break execution when free() is called against a non-tracked pointer
+check_uafName heap-analysis-helper.check_uaf
Type bool
DefaultValue: True
Description Break execution when a possible Use-after-Free condition is found
+check_heap_overlapName heap-analysis-helper.check_heap_overlap
Type bool
DefaultValue: True
Description Break execution when a possible overlap in allocation is found
+ + + + + + +heap-chunkspeek_nb_byteName heap-chunks.peek_nb_byte
Type int
DefaultValue: 16
Description Hexdump N first byte(s) inside the chunk data (0 to disable)
+ + + + + + +hexdumpalways_show_asciiName hexdump.always_show_ascii
Type bool
DefaultValue: False
Description If true, hexdump will always display the ASCII dump
+ + + + + + +highlightregexName highlight.regex
Type bool
DefaultValue: False
Description Enable regex highlighting
+ + + + + + +patternlengthName pattern.length
Type int
DefaultValue: 1024
Description Default length of a cyclic buffer to generate
+ + + + + + +pcustomstruct_pathName pcustom.struct_path
Type str
DefaultValue: /tmp/gef/structs
Description Path to store/load the structure ctypes files
+max_depthName pcustom.max_depth
Type int
DefaultValue: 4
Description Maximum level of recursion supported
+structure_nameName pcustom.structure_name
Type str
DefaultValue: bold blue
Description Color of the structure name
+structure_typeName pcustom.structure_type
Type str
DefaultValue: bold red
Description Color of the attribute type
+structure_sizeName pcustom.structure_size
Type str
DefaultValue: green
Description Color of the attribute size
+ + + + + + +print-formatmax_size_previewName print-format.max_size_preview
Type int
DefaultValue: 10
Description max size preview of bytes
+ + + + + + +process-searchps_commandName process-search.ps_command
Type str
DefaultValue: /usr/bin/ps auxww
Description ps command to get process information
search-patternmax_size_previewName search-pattern.max_size_preview
Type int
DefaultValue: 10
Description max size preview of bytes
+nr_pages_chunkName search-pattern.nr_pages_chunk
Type int
DefaultValue: 1024
Description number of pages readed for each memory read chunk
+ + + + + + +themecontext_title_lineName theme.context_title_line
Type str
DefaultValue: gray
Description Color of the borders in context window
+context_title_messageName theme.context_title_message
Type str
DefaultValue: cyan
Description Color of the title in context window
+default_title_lineName theme.default_title_line
Type str
DefaultValue: gray
Description Default color of borders
+default_title_messageName theme.default_title_message
Type str
DefaultValue: cyan
Description Default color of title
+table_headingName theme.table_heading
Type str
DefaultValue: blue
Description Color of the column headings to tables (e.g. vmmap)
+old_contextName theme.old_context
Type str
DefaultValue: gray
Description Color to use to show things such as code that is not immediately relevant
+disassemble_current_instructionName theme.disassemble_current_instruction
Type str
DefaultValue: green
Description Color to use to highlight the current $pc when disassembling
+dereference_stringName theme.dereference_string
Type str
DefaultValue: yellow
Description Color of dereferenced string
+dereference_codeName theme.dereference_code
Type str
DefaultValue: gray
Description Color of dereferenced code
+dereference_base_addressName theme.dereference_base_address
Type str
DefaultValue: cyan
Description Color of dereferenced address
+dereference_register_valueName theme.dereference_register_value
Type str
DefaultValue: bold blue
Description Color of dereferenced register
+registers_register_nameName theme.registers_register_name
Type str
DefaultValue: blue
Description Color of the register name in the register window
+registers_value_changedName theme.registers_value_changed
Type str
DefaultValue: bold red
Description Color of the changed register in the register window
+address_stackName theme.address_stack
Type str
DefaultValue: pink
Description Color to use when a stack address is found
+address_heapName theme.address_heap
Type str
DefaultValue: green
Description Color to use when a heap address is found
+address_codeName theme.address_code
Type str
DefaultValue: red
Description Color to use when a code address is found
+source_current_lineName theme.source_current_line
Type str
DefaultValue: green
Description Color to use for the current code line in the source window
+ + + + + + +trace-runmax_tracing_recursionName trace-run.max_tracing_recursion
Type int
DefaultValue: 1
Description Maximum depth of tracing
+tracefile_prefixName trace-run.tracefile_prefix
Type str
DefaultValue: ./gef-trace-
Description Specify the tracing output file prefix
+ + + + + + +This page describes how GEF testing is done. Any new command/functionality must receive adequate +testing to be merged. Also PR failing CI (test + linting) won't be merged either.
+All the prerequisite packages are in requirements.txt file at the root of the project. So running
python -m pip install -r tests/requirements.txt --user -U
+is enough to get started.
+pytestFor testing GEF on the architecture on the host running the tests (most cases), simply run
+cd /root/of/gef
+python3 -m pytest -v -k "not benchmark" tests
+Note that to ensure compatibility, tests must be executed with the same Python version GDB was +compiled against. To obtain this version, you can execute the following command:
+gdb -q -nx -ex "pi print('.'.join(map(str, sys.version_info[:2])))" -ex quit
+At the end, a summary of explanation will be shown, clearly indicating the tests that have failed, +for instance:
+=================================== short test summary info ==================================
+FAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_large - AssertionError: 'siz...
+FAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_small - AssertionError: 'siz...
+FAILED tests/commands/heap.py::HeapCommand::test_cmd_heap_bins_unsorted - AssertionError: '...
+======================== 3 failed, 4 passed, 113 deselected in 385.77s (0:06:25)==============
+You can then use pytest directly to help you fix each error specifically.
pytestGEF entirely relies on pytest for its testing. Refer to the project
+documentation for details.
Adding a new command requires for extensive testing in a new dedicated test module that should
+be located in /root/of/gef/tests/commands/my_new_command.py
A skeleton of a test module would look something like:
+"""
+`my-command` command test module
+"""
+
+
+from tests.utils import GefUnitTestGeneric, gdb_run_cmd, gdb_start_silent_cmd
+
+
+class MyCommandCommand(GefUnitTestGeneric):
+ """`my-command` command test module"""
+
+ def test_cmd_my_command(self):
+ # `my-command` is expected to fail if the session is not active
+ self.assertFailIfInactiveSession(gdb_run_cmd("my-command"))
+
+ # `my-command` should never throw an exception in GDB when running
+ res = gdb_start_silent_cmd("my-command")
+ self.assertNoException(res)
+
+ # it also must print out a "Hello World" message
+ self.assertIn("Hello World", res)
+When running your test, you can summon pytest with the --pdb flag to enter the python testing
+environment to help you get more information about the reason of failure.
One of the most convenient ways to test gef properly is using the pytest integration of modern
+editors such as VisualStudio Code or PyCharm. Without proper tests, new code will not be integrated.
You can use the Makefile at the root of the project to get the proper linting settings. For most +cases, the following command is enough:
+cd /root/of/gef
+python3 -m pylint --rcfile .pylintrc
+Note that to ensure compatibility, tests must be executed with the same Python version GDB was +compiled against. To obtain this version, you can execute the following command:
+gdb -q -nx -ex "pi print('.'.join(map(str, sys.version_info[:2])))" -ex quit
+Benchmarking relies on pytest-benchmark and is experimental for now.
You can run all benchmark test cases as such:
+cd /root/of/gef
+pytest -k benchmark
+which will return (after some time) an execution summary
+tests/perf/benchmark.py .. [100%]
+
+
+---------------------------------------- benchmark: 3 tests -----------------------------------
+Name (time in ms) Min Max Mean StdDev Median IQR Outliers OPS Rounds Iterations
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+time_baseline 612.2325 (1.0) 630.3416 (1.01) 623.7984 (1.01) 7.2848 (1.64) 626.1485 (1.01) 9.9971 (1.81) 1;0 1.6031 (0.99) 5 1
+time_cmd_context 613.8124 (1.00) 625.8964 (1.0) 620.1908 (1.0) 4.4532 (1.0) 619.8831 (1.0) 5.5109 (1.0) 2;0 1.6124 (1.0) 5 1
+time_elf_parsing 616.5053 (1.01) 638.6965 (1.02) 628.1588 (1.01) 8.2465 (1.85) 629.0099 (1.01) 10.7885 (1.96) 2;0 1.5920 (0.99) 5 1
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+Legend:
+ Outliers: 1 Standard Deviation from Mean; 1.5 IQR (InterQuartile Range) from 1st Quartile and 3rd Quartile.
+ OPS: Operations Per Second, computed as 1 / Mean
+============================================== 3 passed, 117 deselected in 14.78s =============================================
+