pwnlib.gdb |
您所在的位置:网站首页 › attach with › pwnlib.gdb |
|
Launch a GDB server with the specified command line, and launches GDB to attach to it. Parametersargs (list) – Arguments to the process, similar to process. gdbscript (str) – GDB script to run. exe (str) – Path to the executable on disk env (dict) – Environment to start the binary in ssh (ssh) – Remote ssh session to use to launch the process. sysroot (str) – Set an alternate system root. The system root is used to load absolute shared library symbol files. This is useful to instruct gdb to load a local version of binaries/libraries instead of downloading them from the gdbserver, which is faster api (bool) – Enable access to GDB Python API. Returnsprocess or ssh_channel – A tube connected to the target process. When api=True, gdb member of the returned object contains a Gdb instance. Notes The debugger is attached automatically, and you can debug everything from the very beginning. This requires that both gdb and gdbserver are installed on your machine. When GDB opens via debug(), it will initially be stopped on the very first instruction of the dynamic linker (ld.so) for dynamically-linked binaries. Only the target binary and the linker will be loaded in memory, so you cannot set breakpoints on shared library routines like malloc since libc.so has not even been loaded yet. There are several ways to handle this: Set a breakpoint on the executable’s entry point (generally, _start)This is only invoked after all of the required shared libraries are loaded. You can generally get the address via the GDB command info file. Use pending breakpoints via set breakpoint pending onThis has the side-effect of setting breakpoints for every function which matches the name. For malloc, this will generally set a breakpoint in the executable’s PLT, in the linker’s internal malloc, and eventaully in libc’s malloc. Wait for libraries to be loaded with set stop-on-solib-event 1There is no way to stop on any specific library being loaded, and sometimes multiple libraries are loaded and only a single breakpoint is issued. Generally, you just add a few continue commands until things are set up the way you want it to be. Examples Create a new process, and stop it at ‘main’ >>> io = gdb.debug('bash', ''' ... break main ... continue ... ''')Send a command to Bash >>> io.sendline(b"echo hello") >>> io.recvline() b'hello\n'Interact with the process >>> io.interactive() >>> io.close()Create a new process, and stop it at ‘_start’ >>> io = gdb.debug('bash', ''' ... # Wait until we hit the main executable's entry point ... break _start ... continue ... ... # Now set breakpoint on shared library routines ... break malloc ... break free ... continue ... ''')Send a command to Bash >>> io.sendline(b"echo hello") >>> io.recvline() b'hello\n'Interact with the process >>> io.interactive() >>> io.close()Using GDB Python API: Using SSH: You can use debug() to spawn new processes on remote machines as well, by using the ssh= keyword to pass in your ssh instance. Connect to the SSH server and start a process on the server >>> shell = ssh('travis', 'example.pwnme', password='demopass') >>> io = gdb.debug(['whoami'], ... ssh = shell, ... gdbscript = ''' ... break main ... continue ... ''')Send a command to Bash >>> io.sendline(b"echo hello")Interact with the process >>> io.interactive() # doctest: +SKIP >>> io.close() |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |