Overview
GEF (GDB Enhanced Features) is a comprehensive GDB plugin that extends debugging capabilities with security-focused commands, improved visualization, and exploit development tools. It provides better context awareness, memory analysis, and vulnerability detection than standard GDB.
GEF is designed for:
- Binary exploitation and reverse engineering
- Security vulnerability identification
- Exploit development and testing
- Memory corruption vulnerability analysis
- Advanced debugging workflows
Installation
Prerequisites
- GDB 8.0 or later
- Python 3.6+
- Linux/Unix system
- Git (for cloning)
Quick Install
# Clone GEF repository
git clone https://github.com/hugsy/gef.git ~/gef
# Add to GDB initialization
echo "source ~/gef/gef.py" >> ~/.gdbinit
# Verify installation
gdb -q
# You should see GEF banner at startup
Alternative: Curl Installation
# Direct download and install
curl -L https://github.com/hugsy/gef/raw/main/gef.py -o ~/gef.py
echo "source ~/gef.py" >> ~/.gdbinit
# Optional: Create GEF config file
cat > ~/.gef.rc << 'EOF'
# GEF configuration
gef config gef.tempdir /tmp/gef
gef config theme elegant
gef config readline.history 10000
EOF
Core Commands
| Command | Purpose | Example |
|---|
gef help | Show all GEF commands | gef> gef help |
gef version | Display GEF version | gef> gef version |
gef config | Manage GEF settings | gef> gef config |
gef set | Change GEF configuration | gef> gef set theme light |
checksec | Analyze binary security protections | gef> checksec |
vmmap | Display virtual memory layout | gef> vmmap |
hex-dump | Show hex dump of memory | gef> hex-dump <address> |
Context Display and Analysis
Enhanced Context Commands
| Command | Description |
|---|
context | Display full execution context (register, stack, code) |
context args | Show function arguments |
context code | Display assembly code near current position |
context memory | Show memory content and access |
context stack | Display stack content with analysis |
context registers | Show register values with interpretation |
Display Context Information
# Full context display
gdb ./binary
(gdb) break main
(gdb) run
(gdb) context # Shows all: registers, stack, code
# Display only specific context
(gdb) context code # Only show assembly
(gdb) context stack # Only show stack
(gdb) context registers # Only show registers
Register Analysis
# Show all registers with values
(gdb) registers
# Display register with pointer dereferencing
(gdb) reg rax
(gdb) reg rdi $rax
# Analyze register content
(gdb) p/x $rax
(gdb) p/d $rbx
(gdb) p/s $rcx
Memory and Stack Analysis
Memory Inspection Commands
| Command | Purpose |
|---|
memory | Analyze memory regions |
memory watch | Monitor memory changes |
memory search | Find patterns in memory |
memory dereference | Follow pointer chains |
memory alignment | Check memory alignment |
Stack Analysis
# Display stack with context
(gdb) stack 20 # Show 20 stack entries
(gdb) dereference $rsp 10 # Dereference stack pointers
# Find stack canary value
(gdb) stack canary
# Monitor stack changes
(gdb) watch $rsp
Memory Search and Dump
# Search for specific bytes in memory
(gdb) search "A8 4A"
# Dump memory range as hex
(gdb) hex-dump <start_address> <size>
# Display memory as string
(gdb) memory read <address> 256
# Find writable memory sections
(gdb) memory regions
Binary Analysis and Disassembly
Disassembly Commands
| Command | Description |
|---|
disas <function> | Disassemble function with GEF enhancement |
disas <addr>, <addr> | Disassemble memory range |
disas /m <function> | Disassembly with source code |
set disassembly-flavor intel | Use Intel syntax |
set disassembly-flavor att | Use AT&T syntax |
Disassembly Examples
# Disassemble main function
(gdb) disas main
# Disassemble specific address range
(gdb) disas *0x08048400, *0x08048500
# Show source code with assembly
(gdb) disas /m vulnerable_function
# Follow execution flow
(gdb) disas $rip, $rip+50
ROP Gadget Detection and Analysis
Find ROP Gadgets
# Search for ROP gadgets (requires ROPgadget)
(gdb) rop
# Filter gadget results
(gdb) rop --filter "pop|ret"
(gdb) rop --search "mov rax"
# Find one-gadget exploits
(gdb) one-gadget
Gadget Analysis Workflow
# 1. Identify useful registers
(gdb) context registers
# 2. Search for loading gadgets
(gdb) rop --search "mov rdi"
# 3. Find system call gadgets
(gdb) rop --search "syscall"
# 4. Locate return gadgets
(gdb) rop --filter "ret"
Exploitation and Vulnerability Detection
# Analyze format string vulnerability
(gdb) fmtstr <address> <offset>
# Detect format string read
(gdb) fmtstr_read <address> <offset>
# Detect format string write
(gdb) fmtstr_write <address> <offset> <value>
Buffer Overflow Pattern Generation
# Create overflow pattern
(gdb) pattern <size> # Generate pattern inline
(gdb) pattern create <size> # Save to file
# Example: 100-byte pattern
(gdb) pattern create 100 /tmp/pattern.txt
# Find offset of value in pattern
(gdb) pattern offset <value>
# Practical overflow test
(gdb) break vulnerable_function
(gdb) run < /tmp/pattern.txt
# (binary crashes)
(gdb) pattern offset <crash_value>
Heap Analysis and Corruption Detection
Heap Inspection
# Display heap information
(gdb) heap
# Show heap chunks
(gdb) heap chunks
# Analyze heap bins
(gdb) heap bins
# Detect heap corruption
(gdb) heap validate
# Show heap statistics
(gdb) heap stats
Heap Exploitation Workflow
# Monitor allocations
(gdb) break malloc
(gdb) run
(gdb) heap # Show initial heap state
# Step through allocations
(gdb) continue
(gdb) heap chunks # Show chunk layout
# Detect use-after-free
(gdb) watch <pointer>
Breakpoint and Execution Control
Advanced Breakpoint Management
| Command | Purpose |
|---|
break <location> | Set standard breakpoint |
break <location> if <condition> | Conditional breakpoint |
tbreak <location> | Temporary breakpoint |
rbreak <pattern> | Set breakpoint on pattern match |
watch <expression> | Break on variable change |
awatch <expression> | Break on variable access/write |
Execution Control Examples
# Break on specific condition
(gdb) break malloc if $arg0 > 4096
# Break when register has value
(gdb) break *0x08048400 if $eax == 0x41414141
# Monitor stack pointer changes
(gdb) watch $rsp
# Hardware watchpoint
(gdb) awatch <address>
# Break on pattern in memory
(gdb) break *malloc if strncmp($arg0, "AAAA", 4) == 0
Advanced Debugging Techniques
Instruction Tracing
# Trace execution
(gdb) trace-instruction on
(gdb) run
(gdb) trace-instruction off
# Step and display context
(gdb) si # Step one instruction
(gdb) ni # Step over instruction
(gdb) continue # Continue execution
Code Patching and Manipulation
# Patch memory at runtime
(gdb) set {unsigned int}<address> = 0x90909090
# Write byte sequence
(gdb) set {unsigned char}<address> = 0x90
# Verify patch
(gdb) x/i <address>
# Patch and test exploit
(gdb) set {void *}<rip> = 0x<gadget_address>
Function Parameter Analysis
# Display function arguments (x86-64)
(gdb) info args
# Examine first argument (rdi)
(gdb) p/x $rdi
# Second argument (rsi)
(gdb) p/x $rsi
# Third argument (rdx)
(gdb) p/x $rdx
# Examine string argument
(gdb) p/s (char*)$rdi
Security Protection Analysis
Check Binary Protections
# Full security check
(gdb) checksec
# Output shows:
# - Canary (stack canary)
# - Fortify (source fortification)
# - NX (no-execute bit)
# - PIE (position independent executable)
# - RELRO (relocation read-only)
# - ASLR (address space layout randomization)
Bypass ASLR for Debugging
# Disable ASLR
(gdb) set disable-randomization on
# Verify ASLR disabled
(gdb) vmmap
(gdb) break main
(gdb) run
# Check consistent addresses
(gdb) info proc mappings
Data Structure Inspection
Parse Complex Structures
# Print structure at address
(gdb) p *(struct_type *)<address>
# Display array elements
(gdb) p array[0]@10 # Print first 10 elements
# Inspect linked list
(gdb) p *node->next
# Deep structure analysis
(gdb) p *((struct_type *)<address>)->member
# Find symbol address
(gdb) info address <symbol>
# List all symbols
(gdb) info symbols
# Search for function
(gdb) info functions <pattern>
# List variables
(gdb) info variables
Logging and Output
Command Logging
# Enable logging
(gdb) set logging on
(gdb) set logging file /tmp/gdb.log
# Verify logging
(gdb) run
(gdb) context
# Disable logging
(gdb) set logging off
# View log
!cat /tmp/gdb.log
Output Redirection
# Execute command and save output
(gdb) set logging overwrite on
(gdb) shell echo "Starting exploit test" >> /tmp/test.log
(gdb) disas main >> /tmp/disas.txt
(gdb) set logging off
Automation with Scripts
GDB Command Scripts
# Create script with GEF commands
cat > /tmp/exploit_script.gdb << 'EOF'
file ./vulnerable
break main
run
context
vmmap
checksec
break vulnerable_function
continue
stack 20
hex-dump $rsp 100
rop --search "pop rdi"
quit
EOF
# Execute script
gdb -x /tmp/exploit_script.gdb
Python Integration
# Python commands in GDB
(gdb) python
print(gdb.selected_frame().architecture().registers())
end
# Execute Python script
(gdb) source /tmp/custom_gef.py
Practical Exploitation Workflow
Complete Exploit Development
# 1. Load binary and analyze security
gdb ./vulnerable
(gdb) checksec # Check protections
(gdb) vmmap # View memory layout
# 2. Locate vulnerability
(gdb) disas main
(gdb) break vulnerable_func
(gdb) run "AAAA"
# 3. Crash analysis
(gdb) context # Full execution context
(gdb) p/x $rax # Examine registers
(gdb) hex-dump $rsp 100 # Show stack
# 4. Calculate offset
(gdb) pattern create 500
(gdb) run < /tmp/pattern.txt
(gdb) pattern offset <crash>
# 5. Find gadgets
(gdb) rop --search "pop rdi"
# 6. Build and test exploit
(gdb) p/x &system_function
(gdb) p/x &exit_function
Configuration and Customization
GEF Configuration Options
| Setting | Purpose | Example |
|---|
theme | Color theme (light/dark) | gef config theme light |
tempdir | Temporary directory | gef config gef.tempdir /tmp/gef |
max-display-items | Max items to show | gef config max-display-items 50 |
readline.history | Command history size | gef config readline.history 10000 |
Apply Configuration
# List all GEF settings
(gdb) gef config
# Set individual options
(gdb) gef set theme light
(gdb) gef set max-display-items 100
# Save configuration
(gdb) gef save # Saves to ~/.gef.rc
Use with ROPgadget
# Find gadgets with ROPgadget
ropgadget --binary ./vulnerable --search "pop rdi"
# Search in GEF
(gdb) rop --binary ./vulnerable
Use with Exploit-DB
# Find existing exploits
(gdb) shell searchsploit -t <vulnerability>
# Analyze found exploit
(gdb) shell cat /usr/share/exploitdb/exploits/linux/local/12345.py
Tips and Best Practices
- Use context frequently: Display context regularly to maintain situational awareness
- Enable ASLR protection: Only disable ASLR when necessary for debugging
- Save terminal output: Use
set logging on for exploitation walkthroughs
- Test locally first: Always test exploits locally before deployment
- Monitor memory changes: Use watchpoints for heap vulnerability debugging
- Document gadgets: Save ROP gadget searches for reference
- Use conditional breakpoints: Break only on interesting conditions
- Verify exploits: Test multiple times to ensure reliability
Common Workflows
Vulnerability Discovery
# 1. Run with ASAN/UBSAN
ASAN_OPTIONS=verbosity=1 ./vulnerable
# 2. Attach GEF for deeper analysis
gdb -p <pid>
(gdb) context
(gdb) vmmap
Reverse Engineering
# 1. Analyze binary structure
(gdb) checksec
(gdb) disas main
(gdb) info functions
# 2. Follow execution
(gdb) break <function>
(gdb) run
(gdb) disas /m <function>
Exploit Development
# 1. Identify vulnerability
(gdb) break vulnerable_func
(gdb) run <payload>
# 2. Analyze crash
(gdb) context
(gdb) pattern offset <value>
# 3. Develop exploit
(gdb) rop --search "gadgets"
(gdb) p/x <function_address>
Troubleshooting
| Issue | Solution |
|---|
| GEF not loading | Check ~/.gdbinit contains source ~/gef/gef.py |
| Python errors | Ensure Python 3.6+ and GDB with Python support |
| Slow performance | Reduce max-display-items or use specific context commands |
| Memory access errors | Enable set disable-randomization on |
| ROPgadget not found | Install with pip install ropgadget |
Resources
Summary
GEF enhances GDB with powerful security-focused debugging capabilities:
- Enhanced context display for better understanding of program state
- Security protection analysis (ASLR, DEP, canaries, PIE)
- Memory and heap analysis for corruption vulnerability detection
- ROP gadget finding for code reuse exploitation
- Automated pattern generation for overflow detection
- Integration with security tools (ROPgadget, Exploit-DB)
Combine GEF with vulnerability scanning tools and manual analysis for comprehensive binary exploitation and reverse engineering capabilities.
