GEF - GDB Enhanced Features
GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to
make GDB cool again for exploit dev. It is aimed to be used mostly by exploiters
and reverse-engineers, to
provides additional features to GDB using the Python API to assist during the
process of dynamic analysis and exploit development.
GEF fully relies on GDB API and other Linux-specific sources of information
/proc/<pid>). As a consequence, some of the features might not work on
custom or hardened systems such as GrSec.
It has full support for both Python2 and Python3 indifferently (as more and more
distros start pushing
gdb compiled with Python3 support).
GEF features include:
- One single GDB script.
- No dependencies,
GEFis battery-included and is literally installable within 5 seconds.
- Provides more than 50 commands to drastically change your experience in GDB.
- Works consistently on both Python2 and Python3.
- Built around an architecture abstraction layer, so all commands work in any GDB-supported architecture (x86-32/64, ARMv5/6/7, AARCH64, SPARC, MIPS, PowerPC, etc.).
Simply make sure you have GDB 7.x+.
# via the install script $ wget -q -O- https://github.com/hugsy/gef/raw/master/gef.sh | sh # manually $ wget -q -O ~/.gdbinit-gef.py https://github.com/hugsy/gef/raw/master/gef.py $ echo source ~/.gdbinit-gef.py >> ~/.gdbinit
Then just start playing (for local files):
$ gdb -q /path/to/my/bin gef➤ gef help
Or (for remote debugging):
remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file Running as PID: 666
local:~ $ gdb -q gef➤ gef-remote -t your.ip.address:1234 -p 666
If your host/VM is connected to the Internet, you can update
gef easily to the latest version (even without
git installed). with
python /path/to/gef.py --update
$ python ~/.gdbinit-gef.py --update Updated
If no updates are available,
gef will respond
No update instead.
This shows a few examples of new features available to you when installing
GEF, with the supported architecture.
Emulating code in GDB via Unicorn-Engine (x86-64)
Displaying ELF information, memory mapping and using Capstone/Keystone integration (ARM v6)
Automatic dereferencing of registers values and identifying binary protections (PowerPC)
Showing current context and heap information (MIPS)
Playing with Capstone engine (SPARC v9)
There are none:
GEF works out of the box! However, to enjoy all the coolest
features, it is highly recommended to install:
$ pip2 install capstone keystone-engine # for Python2.x $ pip3 install capstone keystone-engine # for Python3.x
keystone are under very active development and improvement, so it is recommended to compile and install them from git.
$ git clone https://github.com/keystone-engine/keystone.git $ mkdir -p keystone/build && cd keystone/build $ ../make-share.sh $ sudo make install $ sudo ldconfig $ cd ../bindings/python && sudo ./setup.py build && sudo ./setup.py install
capstone provides an alternative to the
gdb disassembler, which could be useful specifically when dealing with complex/uncommon instructions.
unicorn (also written by Nguyen Anh Quynh) is a lightweight Qemu-based framework to emulate any architecture currently supported by
GDB (and even some more).
Install is simple through the released packages but I would recommend instead to rely on the GIT master branch.
$ git clone https://github.com/unicorn-engine/unicorn.git && cd unicorn && ./make.sh && sudo ./make.sh install
unicorn integration in
gef allows to emulate the behaviour to specific instructions (or block of instructions) based on the runtime context, without actually running it, and therefore sparing the trouble of saving the context/running the new context/restoring the old context. Additionally,
gef can generate a standalone
unicorn Python script, if you want/need to reproduce steps outside the debugger.
$ pip install ropgadget
$ pip install ropper
Some of the optional dependencies can be installed using Python package
pip. Simply run this
$ pip install ropgadget ropper capstone
But why not PEDA?
Yes! Why not?! PEDA is a fantastic tool to
do the same, but only works for x86-32 or x86-64x whereas
all the architecture supported by
GDB (currently x86, ARM, AARCH64, MIPS,
PowerPC, SPARC) but is designed to integrate new architectures very easily as
Bugs & Feedbacks
gdb, exploitation or other topics, feel free to join the
##gef channel on the Freenode IRC network. You can also to me (
hugsy) via the
channel. For those who do not have an IRC client (like
simply click here.
For bugs or feature requests, just go here and provide a thorough description if you want help.
Or if you just like the tool, feel free to drop a simple "thanks" on IRC, Twitter or other, it is always very appreciated.
I love Open-Source, and just like
my other projects
I've decided to offer a
GEF, to thank everybody who helps keeping the project living and always
The rule is simple, provide a (substantial) contribution to
GEF, such as:
- Submitting a Pull-Request for a new feature/command.
- Submitting a Pull-Request for a new architecture support.
- Or sending a relevant issue request (like a bug, crash, or else).
Poke me on the IRC
##gef channel about it, and next time we meet in person
(like at a conference), I'll be happy to pay you a beer.
I do also accept beers if you think that the tool is cool!