Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers
Python Shell

README.md

GEF - GDB Enhanced Features

ReadTheDocs MIT Python 2 Python 3 IRC Build Status

GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploiters and reverse-engineers, to provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.

GEF fully relies on GDB API and other Linux-specific sources of information (such as /proc/<pid>). As a consequence, some of the features might not work on custom or hardened systems such as GrSec.

It has full support for both Python2 and Python3 indifferently (as more and more distros start pushing gdb compiled with Python3 support).

gef-context

Some of GEF features include:

  • One single GDB script.
  • No dependencies, GEF is battery-included and is literally installable within 5 seconds.
  • Provides more than 50 commands to drastically change your experience in GDB.
  • Works consistently on both Python2 and Python3.
  • Built around an architecture abstraction layer, so all commands work in any GDB-supported architecture (x86-32/64, ARMv5/6/7, AARCH64, SPARC, MIPS, PowerPC, etc.).

Quick start

Install

Simply make sure you have GDB 7.x+.

# via the install script
$ wget -q -O- https://github.com/hugsy/gef/raw/master/gef.sh | sh

# manually
$ wget -q -O ~/.gdbinit-gef.py https://github.com/hugsy/gef/raw/master/gef.py
$ echo source ~/.gdbinit-gef.py >> ~/.gdbinit

Then just start playing (for local files):

$ gdb -q /path/to/my/bin
gef➤  gef help

Or (for remote debugging):

remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file
Running as PID: 666

And:

local:~ $ gdb -q
gef➤  gef-remote -t your.ip.address:1234 -p 666

Update

If your host/VM is connected to the Internet, you can update gef easily to the latest version (even without git installed). with python /path/to/gef.py --update

For example:

$ python ~/.gdbinit-gef.py --update
Updated

If no updates are available, gef will respond No update instead.

Screenshots

This shows a few examples of new features available to you when installing GEF, with the supported architecture.

Emulating code in GDB via Unicorn-Engine (x86-64)

gef-x86

Displaying ELF information, memory mapping and using Capstone/Keystone integration (ARM v6)

gef-arm

Automatic dereferencing of registers values and identifying binary protections (PowerPC)

gef-ppc

Showing current context and heap information (MIPS)

gef-mips

Playing with Capstone engine (SPARC v9)

gef-sparc

Dependencies

There are none: GEF works out of the box! However, to enjoy all the coolest features, it is highly recommended to install:

{Cap,Key}stone

capstone (by Nguyen Anh Quynh) is an alternative disassembly engine, and keystone is an (arguably the best) assembly engine. You can use pip to simply and quickly install it.

$ pip2 install capstone keystone-engine  # for Python2.x
$ pip3 install capstone keystone-engine  # for Python3.x

capstone and keystone are under very active development and improvement, so it is recommended to compile and install them from git.

$ git clone https://github.com/keystone-engine/keystone.git
$ mkdir -p keystone/build && cd keystone/build
$ ../make-share.sh
$ sudo make install
$ sudo ldconfig
$ cd ../bindings/python && sudo ./setup.py build && sudo ./setup.py install

capstone provides an alternative to the gdb disassembler, which could be useful specifically when dealing with complex/uncommon instructions.

keystone allows to generate opcodes, which can, for example, then be used as part of a shellcode. gef-shellcoder

Unicorn

unicorn (also written by Nguyen Anh Quynh) is a lightweight Qemu-based framework to emulate any architecture currently supported by GDB (and even some more). Install is simple through the released packages but I would recommend instead to rely on the GIT master branch.

$ git clone https://github.com/unicorn-engine/unicorn.git && cd unicorn && ./make.sh && sudo ./make.sh install

unicorn integration in gef allows to emulate the behaviour to specific instructions (or block of instructions) based on the runtime context, without actually running it, and therefore sparing the trouble of saving the context/running the new context/restoring the old context. Additionally, gef can generate a standalone unicorn Python script, if you want/need to reproduce steps outside the debugger.

ROPGadget

ROPgadget (written by Jonathan Salwan) is simply the best cross-platform ROP gadget finder. It has been totally integrated inside gef to benefit of all of its awesomeness.

$ pip[23] install ropgadget

Ropper

Ropper (written by Sascha Schirra) is another gadget finder. It supports opening multiple files and provides an awesome search option to find accurate gadgets.

$ pip[23] install ropper

One-liner

Some of the optional dependencies can be installed using Python package installer, pip. Simply run this

$ pip[23] install ropgadget ropper capstone

But why not PEDA?

Yes! Why not?! PEDA is a fantastic tool to do the same, but only works for x86-32 or x86-64x whereas GEF supports all the architecture supported by GDB (currently x86, ARM, AARCH64, MIPS, PowerPC, SPARC) but is designed to integrate new architectures very easily as well!

Bugs & Feedbacks

To discuss gef, gdb, exploitation or other topics, feel free to join the ##gef channel on the Freenode IRC network. You can also to me (hugsy) via the channel. For those who do not have an IRC client (like weechat or irssi), simply click here.

For bugs or feature requests, just go here and provide a thorough description if you want help.

Contribution

gef was created and maintained by myself, @_hugsy_, but kept fresh thanks to all the contributors.

Or if you just like the tool, feel free to drop a simple "thanks" on IRC, Twitter or other, it is always very appreciated.

Open-Source Rewards

I love Open-Source, and just like my other projects I've decided to offer a 🍺 4 🐛 (a.k.a beer4bugs) bounty for GEF, to thank everybody who helps keeping the project living and always better.

The rule is simple, provide a (substantial) contribution to GEF, such as:

  1. Submitting a Pull-Request for a new feature/command.
  2. Submitting a Pull-Request for a new architecture support.
  3. Or sending a relevant issue request (like a bug, crash, or else).

Poke me on the IRC ##gef channel about it, and next time we meet in person (like at a conference), I'll be happy to pay you a beer.

I do also accept beers if you think that the tool is cool! 😉

Cheers 🍻

Happy Hacking