GDB Guides Series:

  1. GDB Guide Part 1 - Basics
  2. GDB Guide Part 2 - Breakpoints & Linux Calling Conventions
  3. GDB Guide Part 3 - Process Maps
  4. GDB Guide Part 4 - Examining Memory
  5. GDB Guide Part 5 - Stepping
  6. GDB Guide Part 6 - Automation
  7. GDB Guide Part 7 - Custom Commands
  8. GDB Guide Part 8 - Invoking Function Calls

1. Introduction

Part 4 of this guide will be kept unusually short as I am currently down with a fever. However, I still wanted to get something out this week.

Today, we will be taking a look into the examination of process memory using GDB, and I will even showcase a useful trick to examine memory with eval.

2. Examine Command (x/)

To examine the process’s memory, we will always start of with the prefix x/, followed by whatever we which to examine at a particular address.

2.1 Bytes

This example shows you how to display 16 bytes from 0x7ffd2d856f1b.

(gdb) x/16bx 0x7ffd2d856f1b

0x7ffd2d856f1b: 0x48    0x65    0x6c    0x6c    0x6f    0x20    0x57    0x6f
0x7ffd2d856f23: 0x72    0x6c    0x64    0x21    0x00    0x00    0x7f    0xfb
Examining 16 Bytes from Address

2.2 Half Words (2 Bytes)

This example shows you how to display 8 half words from 0x7ffd2d856f1b.

(gdb) x/8hx 0x7ffd2d856f1b

0x7ffd2d856f1b: 0x6548  0x6c6c  0x206f  0x6f57  0x6c72  0x2164  0x0000  0xfb7f
Examining 8 Half Words from Address

2.3 Words (4 Bytes)

This example shows you how to display 4 words from 0x7ffd2d856f1b. When dealing with 32 bit binaries, it will be useful to display the memory as a word if there is a pointer at the address of examination.

(gdb) x/4wx 0x7ffd2d856f1b

0x7ffd2d856f1b: 0x6c6c6548      0x6f57206f      0x21646c72      0xfb7f0000
Examining 4 Words from Address

2.4 Giant Words (8 Bytes)

This example shows you how to display 2 giant words from 0x7ffd2d856f1b. For 64 bit binaries, it will be useful to display the memory as a giant word if there is a pointer at the address of examination.

(gdb) x/2gx 0x7ffd2d856f1b

0x7ffd2d856f1b: 0x6f57206f6c6c6548      0xfb7f000021646c72
Examining 2 Giant Words from Address

2.5 Strings

This example shows you how to display the bytes as ASCII characters. This command will iteratively convert the byte from the starting address until it hits a 0x00 byte.

(gdb) x/s 0x7ffd2d856f1b

0x7ffd2d856f1b: "Hello World!"
Examining String from Address

2.6 Instructions

This example shows you how to display 5 instructions from the current instruction. Note that on x86-64, $pc is just an alias for $rip, which is the instruction pointer.

(gdb) x/5i $pc

=> 0x5ecd0af2e1d1 <func_1+8>:   sub    $0x10,%rsp
   0x5ecd0af2e1d5 <func_1+12>:  mov    %rdi,-0x8(%rbp)
   0x5ecd0af2e1d9 <func_1+16>:  mov    %rsi,-0x10(%rbp)
   0x5ecd0af2e1dd <func_1+20>:  mov    -0x8(%rbp),%rax
   0x5ecd0af2e1e1 <func_1+24>:  mov    %rax,%rsi
Examining 5 Instructions from Instruction Pointer

3. Creative usage of eval

If you want to automate your GDB script and set different sizes when examining bytes, you can do the following using eval:

(gdb) set $num_bytes = 16
(gdb) set $addr = 0x7ffd2d856f1b
(gdb) eval "x/%dbx %p", $num_bytes, $addr

0x7ffd2d856f1b: 0x48    0x65    0x6c    0x6c    0x6f    0x20    0x57    0x6f
0x7ffd2d856f23: 0x72    0x6c    0x64    0x21    0x00    0x00    0x7f    0xfb
Eval Usage Example

4. Conclusion

That is it folks. T’was short and mundane, but I hope you found the eval usage meaningful to use in your everyday work. Gotta go rest in bed now. sumikko-bedtime-loop

GDB Guides Series:

  1. GDB Guide Part 1 - Basics
  2. GDB Guide Part 2 - Breakpoints & Linux Calling Conventions
  3. GDB Guide Part 3 - Process Maps
  4. GDB Guide Part 4 - Examining Memory
  5. GDB Guide Part 5 - Stepping
  6. GDB Guide Part 6 - Automation
  7. GDB Guide Part 7 - Custom Commands
  8. GDB Guide Part 8 - Invoking Function Calls