Pwndbg Versions Save

Exploit Development and Reverse Engineering with GDB Made Easy

2024.02.14

2 months ago

2024.02.14 Release

Here is the 2024.02.14 release. Thanks to everyone who contributed!

Among others, this release brings GOT tracking mechanism, more step/break commands, mmap/mprotect syscalls, printing of linked lists, displaying of threads in context for multithreaded programs, lots and lots of fixes and more!

The release files can be used to install Pwndbg as self-contained (along with GDB, Python and all deps) package on many distros and x86-64 and arm64/aarch64 architectures. The *-portable.tar.gz archives can be just unpacked and run.

Below is a summary of changes, while the full changelog can be found further on.

Note: this release requires Python >= 3.8 (which means Ubuntu 18.04 or Debian 10 are not supported anymore).

Summary of changes

General changes:

  • Added portable Pwndbg archive to release as well as nix, rpm, deb, arch and alpine packages
  • Added $base(objfile_name) function to compute base address of given memory page, e.g. print $base(libc)+0x123 will return base of libc + 0x123
  • Context will now display threads information for multi-threaded programs
    • this is limited by context-max-threads parameter (use set context-max-threads <N> to change)
  • Added glibc heap exploitation support for libc 2.12+ (#1823)
  • Added support for FreeBSD (#1832)
  • The gdb-pt-dump git submodule was moved to a python dependency (#1929)

New commands:

  • track-got {enable,disable,info,query} ... can be used to track (#1971)
  • stepuntilasm <asm> will step through program instructions until a matching part of instruction string is found (#1798)
  • break-if-taken <loc> and break-if-not-taken <loc> will setup a breakpoint on given location of a branch instruction which will stop the program if the branch was taken or not (#1799)
  • plist ... can be used to print linked lists (#1795, #1817)
  • mmap ... and mprotect ... commands will invoke the mmap or mprotect syscalls with given arguments in the debugged program
    • note: this works by assembling a shellcode for the syscall call, placing the code on current PC/IP address, executing the syscall and reverting back the register and memory changes made
  • thread command to display threads information
  • hi command to check if an address belongs to a glibc heap chunk (#1938)
  • tips to display tips about Pwndbg usage
  • sigreturn <address> to print sigreturn x86-64 frame (#1940)

Changed commands:

  • Added telescope --frame to display stack frame information (requires BP and SP to point to the same memory region) (#1855)
  • Glibc heap commands now also print real chunk size (#1748)
  • Added spray --only-funcptrs | -x flag to spray only the memory addresses where values point to executable memory pages (#1809)
  • Added -A <N> and -B <N> flags to vmmap to display N entries after/before the filtered page (#1810)
  • The linux kernel memory pages figured out by gdb-pt-dump can now be filtered in vmmap (they have unique names) (#1837)
  • Added new arguments/options to the search memory command (#1867)
  • telescope output can now show frame pointer offsets (#1925)
  • distance <single-address> now prints offset from memory page start address (#1926)
  • Added stack -i | --inverse to show stack in reverse order (#1978)
  • Added new positional argument to cyclic command to save its output to file (so it can later be used, e.g. as run < input) (#2009)

Detailed changelog (from git log)

New Contributors

Full Changelog: https://github.com/pwndbg/pwndbg/compare/2023.07.17...2024.02.14

2023.07.17-pkgs

6 months ago

This is the 2023.07.17 release but which contains packages for various distributions (Debian-like using dpkg, RHEL-like using yum/rpm, Arch Linux and Alpine (.apk)).

The packages are totally self-contained: they include all what you need to run GDB+Pwndbg after installation. They do not rely on any dependencies and are build in (hopefully) reproducible way using Nix package manager.

Please ignore the 'source code' attached, it is fr later commit than 2023.07.17. The packages were build from the 2023.07.17 version.

2023.07.17

9 months ago

Here is the 2023.07.17 release. Thanks to everyone who contributed!

We would also like to honour Zach Riggle once again, who was a long time contributor and maintainer of Pwndbg.

Also please note that this release will be the last to support Python 3.6 and Python 3.7 (and so Ubuntu 18.04 and Debian 10).

TL;DR what this release brings

  • The setup.sh now installs Python dependencies in a virtual environment created in pwndbg/.venv/ and gdbinit.py sets appropriate paths so that the created virtual environment is used automatically (previously, we installed deps in the system's Python interpreter which could break users' setups)
  • New or improved commands:
    • The pwndbg helper command can now filter commands list by category, e.g.: pwndbg -c heap (categories are: heap, kernel, linux etc.)
    • Added killthreads [<ids....>] command to kill threads with given IDs
    • Added slab contains <addr> [<addrs...>] command to inspect Linux kernel heap (when debugging kernel)
    • Added spray <addr> ... command to spray memory with given values (instead of doing pi pwndbg.gdblib.memory.write(address, b'data'))
    • Improved got command display and filtering
    • Multiple heap commands improvements (heap, vis_heap_chunks optimized, find_fake_fast, *bins)
      • Optimized vis_heap_chunks command
    • telescope -r now always displays the input address
    • Fixed vmmap for 32-bit kernels
    • Fixed patch-list and patch-revert commands
    • More AI clouds support in the ai command
  • Improved RISC-V support -- added branch prediction through Unicorn emulation
  • Added basic heap heuristics for RISC-V and PowerPC
  • Added krelease function that allows us to implement different behavior for different Linux kernel versions
  • Better glibc version detection

...and other bug fixes and improvements. See below for full changelog!

Full Changelog / What's Changed

New Contributors

Full Changelog: https://github.com/pwndbg/pwndbg/compare/2023.03.19...2023.07.17

2023.03.19

1 year ago

Here is the 2023.03.19 release. Thanks to everyone who contributed!

TL;DR what this release brings

  • New or edited commands:
    • kbase, kchecksec, slab - kernel debugging only commands to get kernel base address, checksec for kernel and list kernel slabs
    • valist - dumps arguments of a va_list structure on given address
    • ai - ask AI about the current debugging session (requires openAI API key)
    • cunwatch now operates on the index/number of expression instead of requiring the user to pass the whole expression to unwatch
    • cyclic - improved UX by adding nicer info/error messages
    • the tls command now leverages GDB's scheduler locking so now when it calls a function to obtain TLS address it won't allow any other target threads to run, which could previously cause issues on targets with multiple threads
  • We added command categories and refactored the display of pwndbg help :)
  • Added support for riscv:rv64 architecture
  • Lots of glibc heap commands fixes and improvements
    • Better support for 32-bit and big-endian architectures
    • Better heap heuristics
    • largebins now display bin size ranges instead of indexes
    • arena displays thread id
    • vis_heap_chunks has now --all-chunks to display all chunks
    • we renamed two flags in the vis_heap_chunks command (--naive -> --beyond-top and --display_all -> --no_truncate)
  • It is now possible to display instruction opcodes in the disasm context by setting set nearpc-num-opcode-bytes 9
  • Fixes for vmmap recursion errors
  • Fixes for Rust binaries debugging
  • Support for Rizin
  • Unicorn emulation is now disabled if mmap(1GB, RWX) fails due Unicorn Engine aborts on environments with low memory
  • Improved virtualenv detection and warnings
  • Fixed message when locales are wrong: in fact, Pwndbg requires LC_CTYPE=C.UTF-8 environment variable and not LC_ALL=en_US.UTF-8 PYTHONIOENCODING=UTF-8 as it previously suggested

What's Changed

New Contributors

Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.12.19...2023.03.19

2022.12.19

1 year ago

A new release is here :). Thanks to all contributors for improving Pwndbg!

TL;DR what this release brings

  • New or edited commands:
    • kconfig to obtain debugged Linux kernel config
    • cymbol to add/show/load/edit/delete custom structures written in plain C
    • mprotect to set memory protections (the command was fixed as it was not working for some time)
    • bins and find_fake_fast were improved
    • cyclic - the Pwntools' pwn cyclic commmand was ported as a native command
  • We improved the support for debugging QEMU kernels and more improvements and new commands are incomming
    • You can set Pwndbg to fetch vmmap info for kernels in three different modes, see help set kernel-vmmap
  • Added support for heap commands for cases when libc debug symbols are not present. For this, certain heuristics regarding the code are used and as a last resort, the user can set addresses of heap related symbols to make the heap command work properly. See heap_config and help set resolve-heap-via-heuristic for more information.
  • We improved coredump debugging (vmmap fetching)
  • We refactored lots of code and more refactoring is incomming
  • Lots of tests and CI targets were added to ensure we don't hit regressions
  • And more... see the full changelog below

What's Changed

New Contributors

Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.08.30...2022.12.19

2022.08.30

1 year ago

A new release is here :). Thanks to all contributors for improving Pwndbg!

TL;DR what this release brings

  • New commands or new flags:
    • attachp [pid | process name | device file] to attach to process by pid/name/device file,
    • setflag to set CPU flags register values,
    • telescope --reverse ... to see memory before a provided address,
    • heap_config to set heap commands configuration,
  • Better support for heap debugging without symbols:
    • It is now possible to make Pwndbg determine the addresses of heap symbols when they are missing; also this is going to be improved further soon,
    • If symbols cannot be found, heap_config can be used to configure symbols addresses,
    • We now define a $heap_base convenient variable,
  • better kernel debugging support - we use gdb-pt-dump to dump memory map information which should be much faster than the previous solution of parsing monitor info mem information,
  • better support for coredump debugging, mainly its vmmap display - we now parse what we can to get that info (btw GDB could improve on generating core dumps as well, see GDB-bugzilla#29508,
  • we now display file paths based on /proc/$pid/fd/$fd of opened files when showing the arguments of POSIX file APIs (open, read, write, close etc.) in the disasm view,
  • we now display tips when Pwndbg is launched (can be disabled with set show-tips off added do ~/.gdbinit)
  • better support for virtualenvs - though, we display a warning that this may not work as expected (due to C libraries dependencies like libffi-dev etc)
  • more tests and improved CI as we now test on Ubuntu 18.04, 20.04 and 22.04,
    • ./tests.sh now has [<filter-tests-names>] [--pdb] arguments,
  • ...and lots and lots of fixes!

What's Changed

New Contributors

Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.01.05...2022.08.30

2022.01.05

2 years ago

Commits included:

96d3d5a (HEAD -> dev, tag: 2022.01.05) Set docs version to 2022.01.05
eec6f74 (origin/dev, origin/HEAD) Use `add-symbol-file` correctly.
439b660 added pylintrc file for standarized linting
cddbcb5 Fix search bug in kernel mode
6d2b6c6 .
5a39da7 moved block to source gdbinit
5844257 removed source line
a1c9d09 added little blurb for endeavourOS
0e45524 added command to source gdbinit.py
8b05953 Fixed multiple alignment issues of compact register view
38c38aa Fix typos
2616e70 Updated permissions for Docker container
1cc12ad Added devcontainer configuration for VS Code to directly develop inside Docker container
84e783a Ignore printing vertical tabs in vis_heap_chunks command
d348c74 Update emulator.py
9448cf5 Fix error message on interrupts
5c0627d Update pwndbg/glibc.py
e0e32dc fix ending of chain
bd7c3aa add test for heap bins
94eea64 safe-linking: use __libc_version when debug symbols loaded
09f2cb6 Add safe-linking support
95e3bb0 Fix lint
0ec3180 Hopefully fix windbg commands tests on CI
9636331 CI: show installed packages
1d70e14 Fix #932,#788: fix command parsing
d861d6e Skip attachp tests when cant attach
eee5dbc Remove Py2 class object inheritance
ef86a5c Remove shebang and coding lines
89b2df5 Remove incorrect i386 regs: dil/sil/spl/bpl
9a17798 Speedup emulator by disabling debug formatting when not debugging
270fef3 Remove redundant disasm.is_call function
af41986 Bump capstone to 4.0.2
e239e9c Hopefully fix recursion error
c8c9e3f Add Codecov
9c8df00 Add basic coverage testing
3583b57 fix(tempdir): use safe and unpredictable cachedir location
1c63382 Do not sort auxv, use the implicit order
526b3ea Hopefully fix CI tests
b203d53 SLES/OpenSUSE: enable debugging repo before installing
6fd42dd Add attachp command and tests for it
1e28920 Stop skipping tests
34f9535 Fix isort
4439446 Maintain backward compatibility with Python < 3.10
07b7c75 Migrate to 3.10 compatible abc usage.
b739733 fix typo in dd command
f11afe2 Fix get_highlight_source line splitting
8cc218f Adding p2p command - pointer chain search
a7a554f Add square brackets to vmmap's anonymous map names
648c7f0 Fix heap unprinted messages
e2c899e Fix isort lint import issues
00e94a9 Fix unprinted 'Unknown register' context warning
8975d42 Better pwndbg.commands.OnlyWithFile error for QEMU targets
c294ede pwndbg.file.get_file: better warning message
32cdc10 piebase, breakrva: print error on failures
71291d8 Fix vmmap_load on remote targets

2021.06.22

2 years ago

The 2021 release, which contains many fixes & some enhancements.

Thanks to all contributors!

TL;DR git log since last release:

a79c85b (HEAD -> dev, tag: 2021.06.22, origin/dev, origin/HEAD) Update links to use Discord
668e53f Fix xinfo used with symbols that are function pointers
8db8f4d fix: update_length() raise exception in some cases
30d6745 Make brva alias accept same args as breakrva
aa25aac fix(disasm,emulate): support mips32r6
44471df fix(emulate): refix emulate, let it works correct on unicorn-1.0.2rc1 ~ unicorn-1.0.2
99a5ef3 fix exception raised by cs.syntax when debugging mips binary
5389eb6 fix(emulate): let `emulate` works on unicorn-1.0.2rc1 ~ unicorn-1.0.2
87da998 fix(telescope): also unroll buffer if last line is skipped
05036de fix(telescope): avoid superfluous whitespace after register column
75b4249 feature(telescope): reduce cognitive load by adding skip count label
baf3fe7 feature(telescope): option to set min repeating values before skipping
14325af chore: clean up unused imports
a8c2fb5 fix(ui): fix display of addrsz to be hex formated
a5c9738 feature(radare2): add r2pipe command to execute stateful radare2 cmds
5d0441b feature(shell): put 'pwn' into allow list for pwntools
56d1fac chore(profile): extend test binary so unicorn engine shows more code flow
f1aa0c8 feature(profile): use a simple module based approach to define profiles
fbfd47f fix(profile): accept any valid location for pyprof2calltree
87bf6ac chore(ghidra): simplify logic and clean up code flow
707fe12 chore(ghidra): use memoize feature to cache r2pipe handle
44770fd fix(ghidra): handle PIE base address when opening the r2pipe
71ca721 feature(ghidra): use configurable code prefix marker for line indicator
a100d87 fix(ghidra): make if-no-source condition work as expected
6354fdc fix(ghidra): avoid crash if we try to decompile a faulty addr/func
e8b5124 chore(ghidra): modularize ghidra functions into utils and commands
b036575 feature(radare2): add argument to set base when loading for PIE (#897)
cd3cbf3 Update README to show more modern supported Linux versions (#885)
00c9740 use_info_auxv() : change regex (#894)
96df189 Changed register list to use precomputed tuples (#866)
cd0cd82 Fixed bug when the GDB is debuggin an architecture arm-eabi (disassembly-flavor). (#889)
4d213a1 Fix #881 (#883)
ae6f25a Fix #858 (#877)
26a18f1 Remove quotes from command option interpolation (#876)
bf49bf8 Unit test fix (#868)
5639589 Remove unimplemented dlmalloc (#874)
c31c720 docs: fix simple typo, divison -> division (#870)
f74aa34 The disassembly flavor is hard-coded. It does not change from Intel to AT&T (#860)
304bf26 Improved the number of Runs/Layers in the container. Upgraded Ubuntu and install GoLand to run the tests. (#862)
cc92959 Added comment command  (#857)
812278b Allow return offsets and use it for 'start' method. (#864)
bde3637 added fix for i386 libc6-dbg package. (#859)
29f962c ropgadget: fix path export. (#854)
cfe93ab  fix for ubuntu 20.04 (#850)
979d330 Fixes #841
30c816b Moved filename to the end of the command (#842)
ea11f86 Add basic i8086 support (#835)
f096be7 Compact, [big-endian] hexdump (#839)
779634a fix prev chunk size check (#837)
9250cc5 Compact register list for context view (#830)
7690b60 Fixed bug: bins gets the wrong pointer offset (#832)
d626db1 add config context-backtrace-lines (#831)
b209c2b Added installation configuration for Gentoo (#820)
a9c43ed In setup.sh, remove installation of python2 for apt (#828)
487caa1 Fix #814: better aslr output (#818)
301012a Py3k (#817)
ccd8f76 Remove travis (#816)
ce2266e Add GitHub Actions support (#809)
15b11c7 Add Dockerfile for easier dev (#815)
96716ce Fix mprotect failing on py2

2020.07.23

3 years ago

This release brings a lot of fixes and improvements and a new mprotect command that injects/calls the corresponding syscall (x64/x86 only for now).

Thanks to all contributors!

Detailed commit log

  • fa326d3 - Fix disasm call target display when symbol is known (#801)
  • 9c60b62 - arch.py: remove unused instruction (#800)
  • 21319d3 - Add repeat mode dX commands (#791) (#799)
  • 79140e3 - Fix dqs windbg command (#798)
  • d088019 - Update .travis.yml: trusty->bionic (#796)
  • b5775f7 - Fix typo in exception-verbose parameter
  • 64f75c9 - vmmap command: fixes #795 - usage w/o argument
  • f543205 - vmmap command: show offset for single addresses (#795)
  • 8c601c4 - Fix typos (#787)
  • 5efff78 - return only valid arenas (#784)
  • af0b065 - 2*ptrsize mismatch (#783)
  • 970ac22 - Delete dead code in regs.py (#779)
  • 7bad305 - Determine register sizes dynamically, do not assume ptrdiff width (#775)
  • a1b2b03 - Fixes #777 - missing pyelftools program header name (#782)
  • 606eae0 - Update regs.py (#780)
  • 744aa22 - Fixes #770 - broken vmmap aliases (#778)
  • 1cd9874 - Use qemu.root() instead of a hardcoded path (#774)
  • 5b9a42a - Fix find_fake_fast error on older gdb version (#760)
  • b361bda - #664 mark changed registers (#756)
  • 016326f - Update issue templates (#776)
  • 677dfa2 - Changes in dependencies needed for Ubuntu, starting from scratch. (#763)
  • 609284c - support for xbps install (#753)
  • f90db72 - chunk printing to malloc_chunk cmd (#751)
  • 5062e4a - Fixes #749 - stop showing pc marker in disasm loops (#750)
  • ac7fb64 - mprotect command injecting mprotect syscall. (#740)
  • d3ec217 - fix for ubuntu 20.04 (#748)
  • 2a09b30 - Fixes #726 (#747)
  • e3b910c - Try heap (#744)
  • 4281583 - Update heap implementation (#728)
  • fbd2bb3 - Fixed alignment bug in vis_heap_chunks command (#739)
  • 3cf9b31 - Added suppor fot opensuse (#734)
  • 0cdcd6f - Fixed misprint 'distibuted' --> 'distributed' (#733)
  • d4a6ff4 - Fix command description format (#727)
  • b1beacf - fixes #660, can not get correct arm64 context (#724)
  • 5849d27 - [WIP] Feature: show ghidra decompiled code in context (#715)
  • ab1e091 - rename ctx-watch -> ctx-unwatch (#725)
  • 5c67072 - Enhance find_fake_fast (#721)
  • 798bcb6 - Fix inaccuracies in vis_heap_chunks() (#708)
  • a18e751 - [WIP] Context watches expressions (#711)
  • 80e3959 - Don't use top chunk heuristics (#712)
  • c8a846e - Replace malloc initialization heuristics (#713)
  • 08a78ad - Remove temp files and dir when exit (#720)
  • 64ca9a6 - Fix decompile error (#716)
  • c46417f - Remove useless cat from setup (#717)
  • d2fc367 - Happy new year 2020 (#718)
  • f2c0efc - Per section context output (#697)
  • 9aef04b - Add line indicator in decompile result (#714)
  • cc0c90a - Fix vmmap crash when PG is disabled (#709)
  • ca649da - Fix switching to remote debug caching bug #707
  • 8cbb863 - Update init.py (#703)
  • 355c09e - command: support alternatives including sub command wrapper like pwn (#701)
  • ecae891 - fix spelling errors (#699)
  • 829f36a - Improve probeleak command (#698)
  • b2f7f90 - split inode_objfile at most once to fix #695 (#696)
  • e650f92 - adding support for clear linux (#694)

2019.12.09

4 years ago

This release brings some bugfixes (also related to IDA Pro sync), enhancements to commands and some other enhancements.

Changelog

What is new

  • Added vmmap QEMU kernel support for x86/x64/risc-v by parsing memory info mem (#685, #687)
  • Allowed hexdump by module name, like vmmap (#683)
  • Added initial support for ARM Cortex-M baremetal debugging (#264)
  • Better support for go binaries (#649, #652)
  • The vis_heap_chunk command got improved (#625)
  • Added leakfind command (#608, #620)
  • Added xuntil command (#604, #648)
  • Added option to redirect context output to other tty or files - simply set set context-output /dev/pts/x (#610)
  • Enhance remote QEMU targets debugging experience (#603)
  • Added ctx alias for the context command (#656)
  • Added __read_chk, __fread_chk and __pread_chk to recognized functions (#536)
  • Improved UX of dumpargs command (#631)

Fixes

  • Fixed #681 (#693)
  • Fixed top_chunk and vis_heap_chunks command (#691)
  • Fixed install's apt-get from blocking at setup time (#680)
  • Fixed #674 by adding gdb-gdbserver dependency (#676)
  • Fixed #532 by clearing internal temp bp on exit (#642)
  • Heap commands are now invoked only with libc debug symbols (#635)
  • Added mkdocs documentation (#639)
  • Fixed source code display (#638)
  • Fixed #636 - bug with regs display on other frames (#637)
  • Added a workaround for GDB bug described in #632 (#633)
  • The pseudocode context display retrieved from IDA Pro Hex-Rays decompilation now shows only the related code (#630)
  • Fix the decompile function for IDA Pro 7.2 during IDA Pro sync (#629)
  • Fixed a bug when IDA Pro window was activated/focused when jumping during IDA Pro sync (#628)
  • Use ArgparsedCommand for everything (#622)
  • Fixed #623, a bug where pwndbg.proc.exe returned wrong path (#624)
  • Allowed ArgparsedCommand to have aliases (#621)
  • Fixed base for got on pie binaries (#618)
  • Fixed #609 by updating types on new_objfile event (#616)
  • Fixed #538 - breakrva on symlink targets (#539)
  • Change StopIteration to return (#613)
  • Fixed linetable.line.pc negative address when debug kernel (#605)
  • Added install instructions for Manjaro in setup.sh (#606)
  • IDA Pro sync RPC will try to auto-connect when ida-enabled parameter is enabled (#597)
  • Fixed bug in heap command (#571)
  • Fixed syntax hightlighting cache bug (#594)

Thanks to all external contributors:

  • @alissonbezerra
  • @korniltsev
  • @jerdna-regeiz
  • @theqlabs
  • @bet4it
  • @Bluekezhou
  • @CarloMara
  • @mzr
  • @Jinmo
  • @matrix1001
  • @NyaMisty
  • @GrosQuildu
  • @StalkR
  • @F3real
  • @zommiommy
  • @vesim987
  • @reyammer
  • @Qwaz
  • @Yuuoniy
  • @geoffbeier
  • @jaseg
  • @jebjerg

And our team:

  • @zachriggle
  • @stnevans
  • @anthraxx
  • @disconnect3d