Background
I've recently started a new semester for my Master's program, and the first project for the semester involves using the GDB tool (GNU Debugger) to analyze a stack on a simple C program that contains a buffer overflow vulnerability. A couple of semesters ago, I had been given a VM pre-loaded with a more featured debugger tool called pwndbg. Pwndbg was excellent because it was easy to use and easily allowed accessed to information such as current assembly code being executed and a view of the program registers. So, going back to using GDB felt a little like stepping back into the stone age.
For this project, one of the TAs recommended watching a video called Give me 15 minutes & I'll change your view of GDB. In the video, the presenter, Greg Law, mentions that while GDB is easy to use, it is difficult to learn. He introduces a tool in GDB called TUI (Text User Interface). This tool allows the programmer to easily visualize the executing program, its assembly, and view the program registers (similar to what pwndbg offered). For reverse engineering and program forensics, these items are critical.
How to Access TUI
To access the TUI interface, first compile your C program with the gcc compiler and use the -g
option. This option gives the GDB tool more information about your program. Then, run GDB on your compiled program and use start
to hit a breakpoint once the program enters the main
function.
Once the program has started, to enable TUI mode you can either use Ctrl+X+A
or enter in tui enable
into GDB to enter TUI mode.
Once inside TUI mode, you can see the program's current point of execution marked in the line that's highlighted. In this case, my program is currently at line 7. To see what assembly is currently being executed, type in layout asm
To enable split screen, press Ctrl+X
then press 2.
With this split screen view enabled, I can use the next
command in GDB to step through the program's steps, see what assembly and line of the program is currently being executed.
To see the program's registers, use the layout reg
command.
Before TUI was enabled, pressing the up key would iterate through previous commands. However, with TUI enabled, pressing the up and down key scrolls through the assembly instructions. To iterate through previous instructions, use Ctrl+P
. If you would like to switch back to using the arrow keys for the command line, enter focus cmd
to switch focus to the command line.
To exit TUI and go back to the GDB console interpreter, either use Ctrl+X+A
or type in tui disable
.
Summary
As Greg Law mentions in Give me 15 minutes & I'll change your view of GDB, while GDB is easy to use, it has a bit of a learning curve. Before I saw this video, I was not aware of the TUI interface and assumed that viewing register values would be much more cumbersome than it actually is. I recommend checking out this list of TUI commands to get more familiar with the commands.
Happy hacking!
Top comments (0)