GDB 的简单用法

1.显示信息

-i(info)
-p(print)
-x(examine)

-内存
  1.x/显示数量.显示类型.显示长度（help x 查看 类型 长度）+ *地址
  2.x/显示数量.显示类型.显示长度 + $寄存器
  3.p + *地址：打印此地址处存的值
      (p/类型 也可改变要显示的值的输出类型[ 二进制 十进制  十六进制等 ])
  4.p + **地址：打印此地址中存的地址中存的值(*此处表示类似于指针中的*)
  5.p + $寄存器：打印寄存器中存的值
  6.i proc m(vvmap)：查看内存信息
  7.x + 函数名
-栈
  1.bt(info stack)：查看栈中调用的函数
  2.stack + n：查看当前栈函数的栈中的情况(默认显示10行  n为显示的行数)
  3.i(info) f：查看当前栈的详细情况() 
  4.frame n：查看第n(从0开始)层栈中的栈函数
-寄存器
  1.i reg(register)：查看寄存器信息
  2.i all-registers：查看所有寄存器信息
  3.x 或 p + $寄存器：查看特定寄存器内的信息
-运行信息
  i program(进程号 程序运行处的地址 停止原因)
-设置自动显示变量
  1.display/格式 + 地址(或变量$xxx)
  2.i display：查看自动显示信息
  3.d display + 号：删除自动显示点

2.断点

-设置断点
  1.b(break) + 函数名：在函数处设置断点
  2.b + 地址：在地址处设置断点
  3.b + (函数名+偏移)
  4.b：在下一行设置断点
-删除断点
  d + 断点号
-查看断点号
  i(info)  b(break)
-断点的禁用启用
  1.disable + 断点号：禁用断点
  2.enable + 断点号：启用断点

3.调试

-连接文件
  1.gdb + 文件名
  2.gdb进入 file + 文件名
  3.gdb进入 attach + 进程id号
-运行文件
  1.start：运行到程序main函数处
  2.r：运行程序 run
  3.c：继续运行 continuing
  4.si：单步步入(OD F7)
  5.ni：单步步过(OD F8)
  6.finish：运行结束当前函数
  7.disassemble ：反汇编  + 函数名 或   + 地址，+(加号)数字

4.修改程序流程

-程序倒跑
  record 之后 rsi启用倒跑
-set：修改内存
-return：强制返回
-call：强制调用
-jump：前置跳转

5.打开窗口(有pead插件后会发生错误)

-layout：用于分割窗口，可以一边查看代码，一边测试
      (查看源代码、汇编、段代码+汇编 、源代码/汇编+寄存器)    
-ctrl + x，再按a：回到传统模式和窗口模式切换

6.其他

-q：退出
-重定位：r > outfile  r < infile
-回车：重复上一指令

pwndbg 插件

文件信息类

argc                 print argc 
args                 = argv print argv[]

auxv                 打印 ELF 辅助向量
env                  = environ = envp 打印环境信息
getfile              Gets the current file.
getpid               Get the pid.
pid                  Gets the pid.
procinfo             Display information about the running process.

elfheader            Prints the section mappings contained in the ELF header.
xinfo                Shows offsets of the specified address to useful other locations
got                  Show the state of the Global Offset Table
gotplt               Prints any symbols found in the .got.plt section if it exists.
plt                  Prints any symbols found in the .plt section if it exists.

fsbase               Prints out the FS base address.  See also $fsbase.
gsbase               Prints out the GS base address.  See also $gsbase.

k                    Print a backtrace (alias 'bt').
down                 Select and print stack frame called by this one.
up                   Select and print stack frame that called this one.

libs                 GDBINIT compatibility alias for 'libs' command.
vmmap                = vprot = lm = address Print virtual memory map pages. Results can be filtered by providing address/module name.
vmmap_add            Add Print virtual memory map page.
vmmap_clear          Clear the vmmap cache.
vmmap_load           Load virtual memory map pages from ELF file.

## 计算
+ distance             Print the distance between the two arguments. // 计算两个地址的距离
ln                   List the symbols nearest to the provided value.// 计算所给的地址所在函数的偏移

调试

## 运行
go                   Windbg compatibility alias for 'continue' command.

entry                Set a breakpoint at the first instruction executed in
entry_point          GDBINIT compatibility alias to print the entry point. See also the 'entry' command.
sstart               GDBINIT compatibility alias for 'tbreak __libc_start_main; run' command.
main                 GDBINIT compatibility alias for 'main' command.
start                Set a breakpoint at a convenient location in the binary,
init                 GDBINIT compatibility alias for 'start' command.

xuntil               Continue execution until an address or function.
pc                   Windbg compatibility alias for 'nextcall' command.
nextcall             Breaks at the next call instruction
nextjmp              = nextjump Breaks at the next jump instruction.

## 下断点
bc                   清除各种点 断点 观察点
bd                   禁用断点
be                   启用断点
bl                   = i b
bp                   = b
breakrva             = brva Break at RVA from PIE base.
b *$rebase(0x相对基址偏移) pie 下断
b *{基地址+xxx}

stepret              Breaks at next return-like instruction by 'stepping' to it
nextret              Breaks at next return-like instruction
stepsc               = stepsyscall Breaks at the next syscall by taking branches.
nextsc               = nextsyscall Breaks at the next syscall not taking branches.

nextproginstr        Breaks at the next instruction that belongs to the running program

## 反汇编
u                    Starting at the specified address, disassemble N instructions.
nearpc               Disassemble near a specified address.
emulate              Like nearpc, but will emulate instructions from the current $PC forward.

## 寄存器信息
dumpargs             Prints determined arguments for call instruction.  //prtin 寄存器信息 传参的六个
regs                 Print out all registers and enhance the information.
xpsr                 = cpsr Print out ARM CPSR or xPSR register

内存信息

## 查看
ds                   Dump a string at the specified address.
da                   Dump a string at the specified address.
db                   Starting at the specified address, dump N bytes.
dd                   Starting at the specified address, dump N dwrods.
dq                   Starting at the specified address, dump N qwords.
dw                   Starting at the specified address, dump N words.
dc                   Starting at the specified address, hexdump.

+ dt                   Dump out information on a type (e.g. ucontext_t).

+ dds                  = dps = dqs = kd Dump pointers and symbols at the specified address.
+ telescope            Recursively dereferences pointers starting at the specified address
+ stack                dereferences on stack data with specified count and offset.
+ retaddr              Print out the stack addresses that contain return addresses.

leakfind             Attempt to find a leak chain given a starting address. //查找给定地址的泄露链

+ hexdump              Hexdumps data at the specified address or module name (or at $sp)

## 修改
eb                   Write hex bytes at the specified address.
ed                   Write hex dwords at the specified address.
eq                   Write hex qwords at the specified address.
ew                   Write hex words at the specified address.
ez                   = eza Write a string at the specified address.

## 搜索
search               Search memory for byte sequences, strings, pointers, and integer values

堆

arena                Print the contents of an arena, default to the current thread's arena.
arenas               List this process's arenas.

bins                 Print the contents of all an arena's bins and a thread's tcache, default to the current thread's arena and tcache.	
fastbins             Print the contents of an arena's fastbins, default to the current thread's arena.
smallbins            Print the contents of an arena's smallbins, default to the current thread's arena.
unsortedbin          Print the contents of an arena's unsortedbin, default to the current thread's arena.
largebins            Print the contents of an arena's largebins, default to the current thread's arena.

malloc_chunk         Print a chunk.
heap                 Iteratively print chunks on a heap, default to the current thread's active heap.
vis_heap_chunks      Visualize chunks on a heap, default to the current arena's active heap.
top_chunk            Print relevant information about an arena's top chunk, default to current thread's arena.

try_free             Check what would happen if free was called with given address
find_fake_fast       Find candidate fake fast chunks overlapping the specified address.

mp                   Print the mp_ struct's contents.

安全保护类

checksec             Prints out the binary security settings using `checksec`.
aslr                 查看 和 设置 ASLR (设置为 on 时下次重启生效)
canary               Print out the current stack canary.
piebase              Calculate VA of RVA from PIE base.
tcache               Print a thread's tcache contents, default to the current thread's tcache.
tcachebins           Print the contents of a tcache, default to the current thread's tcache.

pwndbg

config               Shows pwndbg-specific config. The list can be filtered.
configfile           Generates a configuration file for the current Pwndbg options
reinit_pwndbg        Makes pwndbg reinitialize all state.
reload               Reload pwndbg.
theme                Shows pwndbg-specific theme config. The list can be filtered.
themefile            Generates a configuration file for the current Pwndbg theme options

命令

## context 显示
ctx                  = context Print out the current register, instruction, and stack context.
ctx-unwatch          = cunwatch = contextunwatch Removes an expression previously added to be watched.
ctx-watch            = cwatch = contextwatch Adds an expression to be shown on context.
ctx-ghidra           = contextghidra Show current function decompiled by ghidra
ctx-out              = contextoutput Sets the output of a context section.

## 与其他应用结合的功能
rop                  = ropgadget Dump ROP gadgets with Jon Salwan's ROPgadget tool.
ropper               ROP gadget search with ropper.
j                    Synchronize IDA's cursor with GDB
save_ida             Save the ida database.
r2                   Launches radare2
pdisass              Compatibility layer for PEDA's pdisass command.

## 不明所以的功能
probeleak            Pointer scan for possible offset leaks.
mprotect             Calls mprotect. x86_64 only.
so                   Sets a breakpoint on the instruction after this one
stepover             Sets a breakpoint on the instruction after this one

## 使用时出错的功能
errno                Converts errno (or argument) to its string representation.
bugreport            Generate bugreport
memfrob              Memfrobs a region of memory.
xor                  XOR `count` bytes at ddress` with the key key`.

系统函数类

## ubuntu 命令行命令 

asm                  Invokes asm  #好好学习一下
cyclic               Invokes cyclic
diff                 Invokes diff
disasm               Invokes disasm
bash                 在 pwndbg 中开一个 bash ，键入 exit 退出
sh                   Invokes sh
nc                   Invokes nc
ssh                  Invokes ssh


## 工具类
constgrep            Invokes constgrep
egrep                Invokes egrep
grep                 Invokes grep

awk                  Invokes awk
sed                  Invokes sed
sort                 Invokes sort
unhex                Invokes unhex
uniq                 Invokes uniq


## 文件类/目录
ls                   Invokes ls
cat                  Invokes cat
less                 Invokes less
more                 Invokes more
tail                 Invokes tail
cp                   Invokes cp
mv                   Invokes mv
rm                   Invokes rm
pwd                  Invokes pwd
mkdir                Invokes mkdir
touch                Invokes touch
mktemp               Invokes mktemp
vi                   Invokes vi
vim                  Invokes vim
nano                 Invokes nano
chmod                Invokes chmod
chown                Invokes chown
chattr               Invokes chattr

## 系统类
####用户信息
id                   Invokes id
w                    Invokes w
who                  Invokes who
whoami               Invokes whoami
#### 进程信息
pkill                Invokes pkill
ps                   Invokes ps
pstree               Invokes pstree
top                  Invokes top