One small patch for gdb, one giant leap for reversers!

One thing that really bothered me for a long time while debugging is the need to calculate the libraries loaded addresses versus the addresses at disk if you want to follow and comment library code in IDA. While the ASLR slide can also be disabled when starting processes (or even attaching by disabling it first in the Mach-O header) sometimes I want to attach to ASLR enabled processes and once again I need to compute values without the slide to follow in IDA.

Last week I finally got fed up of this problem and decided to take action and dive into the unknown world of gdb source code. Oh boy, it’s quite an adventure but this time I managed to escape alive out of it! The result is what I think it is a very nice patch that can save time to fellow reversers (this might be the moment where someone says it already exists, he he he!). At least I like it very much since it gives me right away information that I like to have.

What the patch does it to show you the non-ASLR address value (if ASLR is set) and to which image the address belongs to. This avoids the step to use “info shared” command or vmmap util to dump the addresses and lookup where it belongs to (I think there is a gdb command for this, but it is still another extra step). The patch is not yet perfect because the gdb source is a mess with a few different conditions that do not make a lot of sense (not commented code does not help!). What I implemented seems to work for most cases so I am happy with it for now. Oh, there is also some cpu waste to search the addresses. Let’s do it game style by abusing today’s fast cpus and forgetting “optimization”. Two screenshots, one of the entrypoint for “ls” command and the other inside a library call.

gdb1 gdb2I don’t like the lack of alignment of the image name but that requires more messing with internal gdb stuff and I need a new dose of courage to get into. Submit patches if you dare :-)!

Source code located at GitHub repo – https://github.com/gdbinit/gdb-ng – also with fixes to use Darwinbuild with Xcode 5. Maybe I should buy an Apple developer certificate and start distributing signed binaries.

Have fun and say thanks to COSEINC for the patch,
fG!

P.S.: Follow this post about how to compile gdb using darwinbuild.

Update: Just added an option to print only the image name without full path. Default is disabled and variable to set is “print-full-path”. Just pull from the github repo.

4 thoughts on “One small patch for gdb, one giant leap for reversers!

  1. Hi, I’m looking to get gdb up and running on Mountain Lion 10.8.5 with Xcode 5.0.1 if possible? By downloading your gdb-ng this comes with the source gdb or do I need to download it separately? I’m having minor difficulties compiling this.

  2. Hi!
    Nice, fG!
    Your gdbinit and gdb-ng are very useful!
    I use gdbinit on Mac OSX ML and gdb6 for debugging kexts and enjoy! But I don’t use it as gdbinit because of hook_stop is failed. I solved this problem very easy: with source command ((gdb): source /path/to/fG_gdb_helper).
    Is it possible patch gdb source for debugging usermode and kernelmode code in the same gdb session, for example syscalls or IOKit client-driver debugging? What do you think, fG!?

    1. Hi,

      As far as I remember you just need to use the 64bits or 32bits command to fix that when you start it. This is because it cannot identify the size of the pointers and gets confused. I think that’s the issue I had when doing kernel debugging. Can’t remember about any other problems I had.

      fG!

Leave a Reply

Your email address will not be published. Required fields are marked *