pwndbg - GDB/LLDB Exploit Development Cheatsheet

pwndbg - GDB/LLDB Exploit Development Cheatsheet

pwndbg (pronounced “pwn-dee-bee-gee”) is a Python plugin that loads into GDB — and now LLDB — to make exploit development and reverse engineering far less painful. It adds heap inspection, ROP gadget search, register/stack/pointer “telescoping,” a smart context display on every stop, and dozens of commands that core debuggers never provided. It is a successor in spirit to PEDA and a sibling to GEF.

Installation

Method	Command
Setup script (recommended)	git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
Nix	nix profile install github:pwndbg/pwndbg
Arch (AUR)	yay -S pwndbg
Manual GDB load	add source /path/to/pwndbg/gdbinit.py to ~/.gdbinit
LLDB	add command script import /path/to/pwndbg/lldbinit.py to ~/.lldbinit
Verify	start gdb — you should see the pwndbg> prompt

Starting a Session

Command	Description
gdb ./binary	Load a binary under pwndbg
gdb -p PID	Attach to a running process
gdb ./binary core	Open a core dump for post-mortem analysis
start	Run and break at main
entry	Run and break at the ELF entry point
r ARGS	Run with arguments
starti	Stop at the very first instruction

Context & Navigation

Command	Description
context	Redraw the full context (regs, disasm, stack, backtrace)
context reg	Show only the registers pane
ctx-watch EXPR	Add an expression to the context watch pane
nextcall	Step until the next call instruction
nextret	Step until the next ret
stepuntilasm mov	Step until a given mnemonic
xinfo ADDR	Explain what an address maps to (which mapping/section)

Memory Inspection

Command	Description
telescope ADDR	Dereference and “telescope” a chain of pointers
telescope $sp 20	Telescope 20 entries from the stack pointer
hexdump ADDR	Hex+ASCII dump (the command GDB never had)
vmmap	Show the process virtual memory map
vmmap libc	Filter the memory map by name
search -t string "PASS"	Search memory for a string
search -t bytes 0xdeadbeef	Search memory for a byte pattern
distance ADDR1 ADDR2	Byte distance between two addresses
p2p MAP1 MAP2	Find pointer chains between two mappings

Heap Analysis (glibc)

Command	Description
heap	List heap chunks
bins	Show all free bins (fast, tcache, small, large, unsorted)
tcache	Inspect the tcache
fastbins	Show fastbin contents
malloc_chunk ADDR	Decode a chunk header at an address
top_chunk	Show the top (wilderness) chunk
vis_heap_chunks	Visualize heap layout with colors
find_fake_fast ADDR	Hunt for fastbin fake-chunk targets

Exploit Development

Command	Description
cyclic 200	Generate a De Bruijn pattern (offset finder)
cyclic -l 0x6161616c	Look up the offset of a value in the pattern
rop --grep "pop rdi"	Search ROP gadgets
ropgadget	Dump gadgets (ROPgadget integration)
checksec	Show binary mitigations (NX, PIE, RELRO, canary)
got	Show the GOT and resolved addresses
plt	Show the PLT
aslr	Show/toggle ASLR for the debugee
canary	Show the current stack canary value

Breakpoints & Watchpoints

Command	Description
b *0x401136	Break at an absolute address
b main	Break at a symbol
breakrva 0x1136	Break at an RVA (handy with PIE)
watch GLOBAL	Break when a value changes
rwatch ADDR	Break on read access
ignore N COUNT	Ignore a breakpoint N times

Common Workflows

# Find the exact offset to overwrite a saved return address
pwndbg> cyclic 200
pwndbg> r            # paste the pattern, crash
pwndbg> cyclic -l $rsp   # report the offset

# Inspect mitigations, then look for a one-gadget-friendly ROP chain
pwndbg> checksec
pwndbg> rop --grep "pop rdi"

# Walk a heap use-after-free
pwndbg> vis_heap_chunks
pwndbg> bins

pwndbg vs GEF vs PEDA

Feature	pwndbg	GEF	PEDA
GDB support	Yes	Yes	Yes
LLDB support	Yes	No	No
Heap analysis	Deep (glibc)	Good	Limited
ROP tooling	Built-in	Built-in	Built-in
Active development	Yes	Yes	Minimal

Resources

• GitHub Repository
• Official Documentation
• Command Reference