One thing that really bothered me for a long time while debugging is the need to calculate the libraries loaded addresses versus the addresses at disk if you want to follow and comment library code in IDA. While the ASLR slide can also be disabled when starting processes (or even attaching by disabling it first in the Mach-O header) sometimes I want to attach to ASLR enabled processes and once again I need to compute values without the slide to follow in IDA.

Last week I finally got fed up of this problem and decided to take action and dive into the unknown world of GDB source code. Oh boy, it’s quite an adventure but this time I managed to escape alive out of it! The result is what I think it is a very nice patch that can save time to fellow reversers (this might be the moment where someone says it already exists, he he he!). At least I like it very much since it gives me right away information that I like to have.

What the patch does it to show you the non-ASLR address value (if ASLR is set) and to which image the address belongs to. This avoids the step to use info shared command or vmmap util to dump the addresses and lookup where it belongs to (I think there is a GDB command for this, but it is still another extra step). The patch is not yet perfect because the GDB source is a mess with a few different conditions that do not make a lot of sense (not commented code does not help!). What I implemented seems to work for most cases so I am happy with it for now. Oh, there is also some CPU waste to search the addresses. Let’s do it game style by abusing today’s fast CPUs and forgetting “optimization”. Two screenshots, one of the entrypoint for ls command and the other inside a library call.

gdb1
gdb2

I don’t like the lack of alignment of the image name but that requires more messing with internal GDB stuff and I need a new dose of courage to get into. Submit patches if you dare!

Source code located at GitHub repo https://github.com/gdbinit/gdb-ng also with fixes to use darwinbuild with Xcode 5. Maybe I should buy an Apple developer certificate and start distributing signed binaries.

Have fun,
fG!

P.S.: Read this post about how to compile GDB using darwinbuild.

Update: Just added an option to print only the image name without full path. Default is disabled and variable to set is print-full-path. Just pull from the github repo.