一些有用的windbg命令

e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address “String”
e Address [Values]

e:这将以与最新的e*命令相同的格式输入数据。
ea和eza:作为ascii字符串写入内存;
eu和ezu:作为unicode字符串写入内存。
eza和ezu命令会写入一个终端空值
ea和eu命令不会。字符串必须用引号括起来。

数值将被解释为当前基数(16、10或8)中的数字。要更改默认基数,请使用n(set number base)命令。可以通过指定x前缀(十六进制)、0n前缀(十进制)、0t前缀(八进制)或0y前缀(二进制)覆盖默认基数。

Telescope

Inspecting memory dumps is easy with the telescope command. It recursively dereferences a range of memory, letting you see everything at once. As an added bonus, Pwndbg checks all of the available registers to see if they point into the memory range.

Pwndbg makes searching the target memory space easy, with a complete and easy-to-use interface. Whether you’re searching for bytes, strings, or various sizes of integer values or pointers, it’s a simple command away.

ROP Gadgets

Pwndbg makes using ROPGadget easy with the actual addresses in the process.
Just use the rop command!

Process State Inspection

Use the procinfo command in order to inspect the current process state, like UID, GID, Groups, SELinux context, and open file descriptors! Pwndbg works particularly well with remote GDB debugging like with Android phones, which PEDA, GEF, and vanilla GDB choke on.

Finding Leaks


Finding leak chains can be done using the leakfind command. It recurisvely inspects address ranges for pointers, and reports on all pointers found.

some heap function




x/<n/f/u> <addr>

n、f、u是可选的参数。

n是一个正整数,表示显示内存的长度,也就是说从当前地址向后显示几个地址的内容。
f 表示显示的格式,参见上面。如果地址所指的是字符串,那么格式可以是s,如果 地址是指令地址,那么格式可以是i。
u 表示从当前地址往后请求的字节数,如果不指定的话,GDB默认是4个bytes。u参数可以用下面的字符来代替,b表示单字节,h表示双字节,w表示四字 节,g表示八字节。当我们指定了字节长度后,GDB会从指内存定的内存地址开始,读写指定字节,并把其当作一个值取出来。