PEDA (Python Exploit Development Assistance for GDB) is a Python script that extends GDB with specialized commands and features for binary exploitation and debugging. It automates common exploit development tasks and provides enhanced visualization of memory, registers, and stack frames.
PEDA is particularly valuable for:
- Vulnerability discovery in compiled binaries
- Return-oriented programming (ROP) chain generation
- Buffer overflow exploitation
- Stack and heap analysis
- Format string vulnerability detection
- GDB 7.0 or later
- Python 2.7+ or Python 3.x
- Linux/Unix system (primary target)
# Clone PEDA repository
git clone https://github.com/longld/peda.git ~/peda
# Add to GDB initialization
echo "source ~/peda/peda.py" >> ~/.gdbinit
# Verify installation
gdb -q
gdb ./vulnerable_binary
# You should see PEDA banner and commands available
peda> help
| Command | Purpose | Example |
|---|
peda help | List all PEDA commands | peda> peda help |
peda version | Show PEDA version | peda> peda version |
checksec | Check binary security protections | peda> checksec |
vmmap | Display virtual memory mappings | peda> vmmap |
readelf | Parse ELF file information | peda> readelf |
procinfo | Show process information | peda> procinfo |
dumpelf | Dump ELF header and sections | peda> dumpelf |
| Command | Description |
|---|
stack <n> | Display stack content (default 10 frames) |
stackbase | Show stack base address |
offset <addr> | Calculate offset from stack base |
telescope <addr> <count> | Display memory with pointers dereferenced |
xinfo <addr> | Show detailed address information |
gdb ./binary
(gdb) break main
(gdb) run
(gdb) stack 20 # Show 20 stack entries
(gdb) telescope $rsp 10 # Show stack with pointers dereferenced
# Read memory at address
(gdb) readmem <address> <size>
# Search pattern in memory
(gdb) searchmem "pattern" <address>
# Find all occurrences of gadgets
(gdb) searchcode "ret"
| Command | Purpose |
|---|
reg | Display all registers with values |
reg <name> [value] | Get/set specific register |
dreg | Display registers with dereferenced pointers |
areg | Analyze register contents |
# Single step with PEDA display
(gdb) si
# Execute and stop at function
(gdb) run argument1 argument2
# Disassemble with PEDA enhancement
(gdb) pdisas main # PEDA-enhanced disassembly
# Set breakpoint at offset
(gdb) break *0x08048400
# Run until crash/breakpoint
(gdb) continue
# Step into function
(gdb) step
# Step over function call
(gdb) next
# Search for ROP gadgets in binary
(gdb) ropgadget
(gdb) ropgadget --search "pop ; ret"
(gdb) ropgadget --filter "rdi"
# Find specific gadget patterns
(gdb) ropgadget --only "mov|pop|ret"
# Start GDB with PEDA
gdb ./vulnerable_binary
# Find gadgets for exploitation
(gdb) break vulnerable_function
(gdb) run
(gdb) ropgadget --search "add rsp"
# Analyze potential ROP chain
(gdb) p/x $rip # Print instruction pointer
(gdb) telescope $rsp # Show stack for ROP payload
# Analyze format string parameters
(gdb) fmtstr_write <address> <value>
(gdb) fmtstr_read <address>
# Test format string vulnerability
(gdb) break printf_function
(gdb) run
(gdb) fmtstr <address> <offset>
# Detect format string vulnerability
gdb ./vulnerable_binary
(gdb) break main
(gdb) run
(gdb) p/x $rbp # Get base pointer value
(gdb) fmtstr 0x7fff # Test format string
# Analyze stack frame for overflow potential
(gdb) pattern_create <size> <filename> # Generate pattern
(gdb) pattern_offset <value> # Find offset of crash
# Create 100-byte pattern
(gdb) pattern_create 100 /tmp/pattern.txt
# Find offset when crash occurs
(gdb) run < /tmp/pattern.txt
# (binary crashes)
(gdb) pattern_offset <crash_value>
# 1. Generate pattern
gdb ./overflow_binary
(gdb) pattern_create 200 /tmp/payload.txt
# 2. Run with pattern
(gdb) run < /tmp/payload.txt
# 3. Get EIP/RIP value at crash
# Crash address shown in registers
# 4. Find offset
(gdb) pattern_offset <crash_address>
# 5. Craft exploit
python3 -c "print('A' * offset + 'AAAA' + shellcode)" > exploit
(gdb) run < exploit
# Break on specific register value
(gdb) break *main+100 if $eax == 0x41414141
# Break when address accessed
(gdb) watch <address>
(gdb) watch -l <address> # Hardware watchpoint
# Break on condition
(gdb) break function if argc > 1
# Enable instruction trace
(gdb) trace
(gdb) trace stop
# Log all commands
(gdb) set logging on
(gdb) set logging file /tmp/gdb.log
(gdb) run
# Disable logging
(gdb) set logging off
# Patch memory at runtime
(gdb) p <address> = <value>
(gdb) set {unsigned int}<address> = 0x90909090
# Write bytes to memory
(gdb) set {unsigned char}<address> = 0x90 # NOP instruction
# Verify patch
(gdb) x/i <address>
# Display heap information
(gdb) heap
(gdb) heap chunks
(gdb) heap bins
# Analyze heap corruption
(gdb) heap validate
(gdb) heap stats
# Monitor heap allocations
(gdb) break malloc
(gdb) run
(gdb) heap # Show heap structure
# Track allocation pattern
(gdb) continue
(gdb) heap chunks # Show allocated chunks
# Create PEDA command script
cat > /tmp/peda_commands.txt << 'EOF'
break main
run
stack 20
vmmap
checksec
ropgadget --search "ret"
quit
EOF
# Run with script
gdb -x /tmp/peda_commands.txt ./binary
# Create custom PEDA command in ~/.gdbinit
define custom_exploit
python
# Custom Python code here
peda.execute_redirect("vmmap")
print("Custom command executed")
end
end
gdb ./binary
(gdb) checksec # Full security analysis
# Output shows:
# - RELRO (Relocation Read-Only)
# - Stack Canary
# - NX (No-Execute)
# - PIE (Position Independent Executable)
# - ASLR (Address Space Layout Randomization)
# Disable ASLR for debugging
(gdb) set disable-randomization on
# Continue with consistent addresses
(gdb) run
(gdb) vmmap # Verify ASLR disabled
# 1. Analyze binary
gdb ./vulnerable
(gdb) checksec # Check protections
(gdb) pdisas main # Examine main function
(gdb) readelf # Parse ELF structure
# 2. Find vulnerability
(gdb) break vulnerable_func
(gdb) run
(gdb) stack 20 # Inspect stack
# 3. Calculate offset
(gdb) pattern_create 500 /tmp/pat.txt
(gdb) run < /tmp/pat.txt
(gdb) pattern_offset <crash>
# 4. Find gadgets
(gdb) ropgadget --search "pop rdi"
(gdb) ropgadget --filter "system"
# 5. Build exploit
(gdb) p/x &system_function
(gdb) p/x &exit_function
| Shortcut | Equivalent Command |
|---|
c | continue |
s | step |
n | next |
si | stepi |
ni | nexti |
p | print |
x | examine |
b | break |
r | run |
q | quit |
- Save PEDA config: Store custom commands in
.gdbinit for reuse
- Disable ASLR when debugging: Use
set disable-randomization on for consistent addresses
- Use pattern generation: Always use
pattern_create for buffer overflow detection
- Monitor stack changes: Use
telescope frequently to track stack modifications
- Document findings: Save output with
set logging on for reference
- Test exploits locally: Always test before deployment to target
- Use conditional breakpoints: Break only on interesting conditions to speed up debugging
| Issue | Solution |
|---|
| PEDA commands not found | Verify source ~/peda/peda.py in ~/.gdbinit |
| Python errors | Ensure Python version matches GDB compilation |
| Memory access errors | Use set disable-randomization on |
| Gadget search slow | Filter results with --filter option |
| ASLR interferes with debugging | Disable with echo 0 > /proc/sys/kernel/randomize_va_space |
PEDA transforms GDB into a specialized exploit development toolkit. Key capabilities include:
- Automated pattern generation for buffer overflow detection
- ROP gadget finding for code reuse exploitation
- Detailed memory visualization for vulnerability analysis
- Security protection checking (ASLR, DEP, canaries)
- Format string analysis for string vulnerability exploitation
- Heap inspection for heap-based vulnerability detection
Master PEDA by combining it with manual binary analysis for comprehensive vulnerability discovery and exploitation.
