# GDB & Peda
https://www.gnu.org/software/gdb/
- allows you to see what is going on 'inside' another program while it executes
    -- what another program was doing at the moment it crashed
- GDB Quick Reference: https://www.cs.virginia.edu/~cr4bd/4630/S2017/gdb-cheat.html
- check if gdb is installed; if you get command not found error, install it

In [1]:
! gdb --version

[mGNU gdb (Debian 10.1-1.3) 10.1
[mCopyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


In [2]:
! echo kali | sudo -S apt install -y gdb

Reading package lists... Done
Building dependency tree       
Reading state information... Done
gdb is already the newest version (10.1-1.3).
The following packages were automatically installed and are no longer required:
  libexo-1-0 libgdal27 libgeos-3.8.1 libllvm10 libmicrohttpd12 libpython3.8
  libpython3.8-dev libqt5opengl5 libwireshark13 libwiretap10 libwsutil11
  libxcb-util0 python3-gevent python3-greenlet python3-h2 python3-hpack
  python3-hyperframe python3-zope.event python3.8-dev
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 26 not upgraded.


## GDB settings

### Temporary setting
- set default assembly syntax to Intel from AT&T
`$ set disassembly-flavor intel`

### Permanaent setting
- `$ cat ~/.gdbinit`
- `$ echo “set disassembly-flavor intel” > ~/.gdbinit`

### Intel Instruction Syntax:
```
operation <destination>, <source>
```

## GDB demo
- use `demos/stack_demo.cpp` to see stack segment as discussed in x86Assembly and Stack chapter

## compile with -g switch and load binary
- `g++ -g -m32 -o outputProgram inputFile.cpp`
- `gdb -q ./outputProgram` # quietly run gdb
- use `demos/stack_demo.cpp` program to demo useful gdb commands

## Useful commands

### help
- `help`
- `help <instruction>`

### starting/stopping
- `run ARGS` : start the program with the arguments ARGS
- `run ARGS < input.txt` : start the program with the arguments ARGS, providing std input from the input.txt file
- `kill` : terminate the current program
- `step or s` : step into the function
- `stepi or si` : step forward by one instruction (step into function)
- `next or n` : step forward one statement or function call (execte the entire function with one keypress) 
- `nexti or ni` : step forward by one instruction (skipping any called function)
- `continue or c` : run until next breakpoint

### break points, break or b
- `break [line number, function name, memory address]`: stop execution at the breakpoint
- `break function`: set a breakpoint at entry to a particular function

### disassemble
- `disassemble function` : disassemble a function by name
- `set disassembly-flavor intel` : use Intel assembly syntax

### print variables and memory address, and basic arithmetic
- `print 2+2`
- `print $ebp + 4`
- `print varName`
- `print $ebp` : similar to `i r ebp`

### print format
- print or p/format [value/address/variable]
- e.g. p/x $ebp+8
- p/x - print in hex (default)
- p/d - print as signed decimal
- p/u - print as unsigned decimal
- p/o - print as octal
- p/t - print as binary
- p/c - print as character
- p/s - print as string

## memory examination and data format
- **x/[count][size][format] [register/memory]**
    - count: no. of size to display starting from the register/memory location
    - format:
        - **o** : display in octal
        - **x** : display in hexadecimal
        - **u** : display in unsigned (base-10 decimal)
        - **d** : display in base-10 decimal
        - **t** : display in binary
        - **s** : string
        - **c** : character
    - size:
        - **b** : a single byte
        - **h** : a halfword (2 bytes)
        - **w** : a word (4 bytes) - default
        - **g** : giant (8 bytes)
- **x/40wx $esp** : display 40 word bytes in hex format from top of the stack 

# PEDA - Python Exploit Development Assistance for GDB

## Installation
https://github.com/longld/peda
See #3. Installation

## Configure GDB to use PEDA

### Add the following settings in ~/.gdbinit file
```
# Intel syntax is more readable
set disassembly-flavor intel
 
# When inspecting large portions of code the scrollbar works better than 'less'
set pagination off

# Keep a history of all the commands typed. Search is possible using ctrl-r
set history save on
set history filename ~/.gdb_history
set history size 32768
set history expansion on
```

## Useful commands
### can still run all GDB commands inside PEDA!

### help
```
gdb-peda$ peda help
gdb-peda$ help <keyword>
gdb-peda$ help <command>
```

### show selected context not everything while stepping through

- **context all** : run by default whenever a breakpoint is hit
- **context reg** : for the registers and flags
- **context code** : for disassembling around the current instruction pointer
- **context stack** : for examining the stack

### quickly check the security settings of the program

```bash
gdb-peda$ checksec
```

### generate pattern
- generate pattern and store in a file

```bash
gdb-peda$ pattern_create 120 file
```

- generate pattern and set as argument
```bash
gdb-peda$ pattern arg 100
```

### search pattern
- crash the program with the pattern and run patts or pattern_search
- look for EIP offset which is the offset from the target buffer to the return address
```
gdb-peda$ pattern_search
```


### generate shell code

- `gdb-peda$ shellcode`
- `gdb-peda$ shellcode generate`
- `gdb-peda$ shellcode generate x86/linux exec`

### Useful resources

#### Exploit writing using Python
- http://www.fuzzysecurity.com/tutorials/expDev/2.html

#### ROP and ROP Gadgets
- https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf

#### Buffer overflow resources
- https://samsclass.info/123/proj14/lbuf1.htm
- http://www.tenouk.com/Bufferoverflowc/Bufferoverflow6.html
- https://tc.gtisc.gatech.edu/cs6265/2016/l/lab02-warmup2/README-tut.txt - peda