Skip to content

Instantly share code, notes, and snippets.

@Stolas

Stolas/gdb Cheatsheet

Last active June 11, 2021 10:50
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Stolas/c67b0d6ce1de78869764 to your computer and use it in GitHub Desktop.
Save Stolas/c67b0d6ce1de78869764 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gdb Cheatsheet
SETUP
------------------------------------------------------
------------------------------------------------------
CONTROL FLOW
c - continue
s - step
set step-mode off -- Toggle Step Over
show step-mode -- Show Step Mode.
until 0xaddress - step to address
finish - step to next return
------------------------------------------------------
BREAKPOINTS
break *0xaddress - Set breakpoint
// CONTINUE HERE.
bl - List breakpoints
bd num - disable breakpoint num
bc num - clear breakpoitn num
ba [e|r|w] 1 0xaddress - break on access [execution|read|write] size address
sxe ld:dllname - Break on load of module dllname
------------------------------------------------------
DUMP MEMORY
d[d|w|b|a] 0xaddress - dump [dword|word|byte|ascii] at address
d[d|w|b|a] 0xaddress L5 - option L argument defines how many of them to dump
dd register - dump contents of a register
ddp 0xaddress - dump contents of address, and whatever it points to
dda 0xaddress - dump contents of address, and print the string if it exists
u 0xaddress L5 - disassemble at 0xaddress, L instructions
------------------------------------------------------
EDIT MEMORY
e[d|w|b] 0xaddress newbytes - edit memory
------------------------------------------------------
SEARCH MEMORY
s -[d|w|b|a] 0x00000000 L?0xffffffff searchval
- first option is size (dword, word, byte, ascii string)
- second option is start address
- third option is end address
- last option is the value to search for
- ex dword: 0x41414141
- ex word 0x4241
- ex byte ff e3 (can be as many as you like!)
- ex ascii: avacado!
x nt!Nt*Driver* - examine symbols
------------------------------------------------------
SYMBOL SETUP - to dump symbols in C:\sym
.sympath .SRV*C:\sym*http://msdl.microsoft.com/download/symbols/
.reload /f
------------------------------------------------------
DUMP STRUCTURES
!teb - dump thread environment block
!peb - dump process environment block
!vadump - dump list of memory pages and info
!lmi modulename - dump the info for module modulename
lm - show loaded modules
k - show call stack
r - show registers
dt structName 0xaddress - display a structure in proper format if you have symbols
------------------------------------------------------
.writemem FileName Range
a Address Assemble code (patching)
!address -summary - Show summery of memory by types
!heap -s - Show all heaps
!heap -stat -h <heap addr> Show blocks of specific heap
!heap -flt s <block size> Show addresses of memory blocks of specific size by heap
!heap -p -a <usrPtr> Display allocation call stack for given block user ptr address
---------
Report on access:
ba a 1 <addr> ".printf(\"Accessed <addr> @ 0x%x\n\"), @eip ; .echo ; g"
---------
Kernel Debugging:
In Windows enable debugging:
bcdedit /copy {current} /d “Windows with with serial debugging”, copy the created {guid}
bcdedit /set {guid} debug on
bcdedit /set {guid} debugport 4, for some reason none of the others ports worked for me
bcdedit /set {guid} baudrate 115200
On host VirtualBox do:
Serial Ports ->
[X] Enable SerialPort
Port Number: COM4
Port Mode: Host Pipe
[X] Create Pipe
Port/File Path: \\.\pipe\debug
Create BAT file for easy access:
@echo off
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\pipe\debug,resets=1,reconnect=1
Note on Arguments:
In the Microsoft x64 calling convention the first four arguments are passed by registers (RCX, RDX, R8 and R9 respectively)
whilst the remaining parameters are passed on the stack.
Even though the first 4 parameters are passed in registers
the calling convention requires that space is allocated for them on the stack (this is called the Home Space).
Raw
windbg Cheatsheet
SETUP
------------------------------------------------------
To set windbg as your default post-mortem debugger (run on crash of programs),
simply run windbg from the command line with the -I option:
C:\wherever\windbg.exe -I
All windbg is a frontend for dbgeng.dll.
------------------------------------------------------
CONTROL FLOW
g - go / continue / run
p - step over
t - step into
(All further commands also work as ta, tc, tt, tct, th - stepping in insted of over)
pa 0xaddress - step to address
pc - step to next call
pt - step to next return
pct - step to next call or return
ph - step to next branching instruction
------------------------------------------------------
BREAKPOINTS
bp 0xaddress - Set breakpoint
bl - List breakpoints
bd num - disable breakpoint num
bc num - clear breakpoitn num
ba [e|r|w] 1 0xaddress - break on access [execution|read|write] size address
sxe ld:dllname - Break on load of module dllname
------------------------------------------------------
DUMP MEMORY
d[d|w|b|a] 0xaddress - dump [dword|word|byte|ascii] at address
d[d|w|b|a] 0xaddress L5 - option L argument defines how many of them to dump
dd register - dump contents of a register
ddp 0xaddress - dump contents of address, and whatever it points to
dda 0xaddress - dump contents of address, and print the string if it exists
u 0xaddress L5 - disassemble at 0xaddress, L instructions
------------------------------------------------------
EDIT MEMORY
e[d|w|b] 0xaddress newbytes - edit memory
------------------------------------------------------
SEARCH MEMORY
s -[d|w|b|a] 0x00000000 L?0xffffffff searchval
- first option is size (dword, word, byte, ascii string)
- second option is start address
- third option is end address
- last option is the value to search for
- ex dword: 0x41414141
- ex word 0x4241
- ex byte ff e3 (can be as many as you like!)
- ex ascii: avacado!
x nt!Nt*Driver* - examine symbols
------------------------------------------------------
SYMBOL SETUP - to dump symbols in C:\sym
.sympath .SRV*C:\sym*http://msdl.microsoft.com/download/symbols/
.reload /f
------------------------------------------------------
DUMP STRUCTURES
!teb - dump thread environment block
!peb - dump process environment block
!vadump - dump list of memory pages and info
!lmi modulename - dump the info for module modulename
lm - show loaded modules
k - show call stack
r - show registers
dt structName 0xaddress - display a structure in proper format if you have symbols
------------------------------------------------------
.writemem FileName Range
a Address Assemble code (patching)
!address -summary - Show summery of memory by types
!heap -s - Show all heaps
!heap -stat -h <heap addr> Show blocks of specific heap
!heap -flt s <block size> Show addresses of memory blocks of specific size by heap
!heap -p -a <usrPtr> Display allocation call stack for given block user ptr address
---------
Report on access:
ba a 1 <addr> ".printf(\"Accessed <addr> @ 0x%x\n\"), @eip ; .echo ; g"
---------
Kernel Debugging:
In Windows enable debugging:
bcdedit /copy {current} /d “Windows with with serial debugging”, copy the created {guid}
bcdedit /set {guid} debug on
bcdedit /set {guid} debugport 4, for some reason none of the others ports worked for me
bcdedit /set {guid} baudrate 115200
On host VirtualBox do:
Serial Ports ->
[X] Enable SerialPort
Port Number: COM4
Port Mode: Host Pipe
[X] Create Pipe
Port/File Path: \\.\pipe\debug
Create BAT file for easy access:
@echo off
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\pipe\debug,resets=1,reconnect=1
Note on Arguments:
In the Microsoft x64 calling convention the first four arguments are passed by registers (RCX, RDX, R8 and R9 respectively)
whilst the remaining parameters are passed on the stack.
Even though the first 4 parameters are passed in registers
the calling convention requires that space is allocated for them on the stack (this is called the Home Space).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment