Beispiel #1
def debug(args,
    Launch a GDB server with the specified command line,
    and launches GDB to attach to it.

        args(list): Arguments to the process, similar to :class:`.process`.
        gdbscript(str): GDB script to run.
        exe(str): Path to the executable on disk
        env(dict): Environment to start the binary in
        ssh(:class:`.ssh`): Remote ssh session to use to launch the process.
        sysroot(str): Foreign-architecture sysroot, used for QEMU-emulated binaries
            and Android targets.

        :class:`.process` or :class:`.ssh_channel`: A tube connected to the target process


        The debugger is attached automatically, and you can debug everything
        from the very beginning.  This requires that both ``gdb`` and ``gdbserver``
        are installed on your machine.

        When GDB opens via :func:`debug`, it will initially be stopped on the very first
        instruction of the dynamic linker (````) for dynamically-linked binaries.

        Only the target binary and the linker will be loaded in memory, so you cannot
        set breakpoints on shared library routines like ``malloc`` since ````
        has not even been loaded yet.

        There are several ways to handle this:

        1. Set a breakpoint on the executable's entry point (generally, ``_start``)
            - This is only invoked after all of the required shared libraries
              are loaded.
            - You can generally get the address via the GDB command ``info file``.
        2. Use pending breakpoints via ``set breakpoint pending on``
            - This has the side-effect of setting breakpoints for **every** function
              which matches the name.  For ``malloc``, this will generally set a
              breakpoint in the executable's PLT, in the linker's internal ``malloc``,
              and eventaully in ``libc``'s malloc.
        3. Wait for libraries to be loaded with ``set stop-on-solib-event 1``
            - There is no way to stop on any specific library being loaded, and sometimes
              multiple libraries are loaded and only a single breakpoint is issued.
            - Generally, you just add a few ``continue`` commands until things are set up
              the way you want it to be.


    >>> # Create a new process, and stop it at 'main'
    >>> io = gdb.debug('bash', '''
    ... break main
    ... continue
    ... ''')
    >>> # Send a command to Bash
    >>> io.sendline("echo hello")
    >>> io.recvline()
    >>> # Interact with the process
    >>> io.interactive() # doctest: +SKIP
    >>> io.close()

    >>> # Create a new process, and stop it at '_start'
    >>> io = gdb.debug('bash', '''
    ... # Wait until we hit the main executable's entry point
    ... break _start
    ... continue
    ... # Now set breakpoint on shared library routines
    ... break malloc
    ... break free
    ... continue
    ... ''')
    >>> # Send a command to Bash
    >>> io.sendline("echo hello")
    >>> io.recvline()
    >>> # Interact with the process
    >>> io.interactive() # doctest: +SKIP
    >>> io.close()

    You can use :func:`debug` to spawn new processes on remote machines as well,
    by using the ``ssh=`` keyword to pass in your :class:`.ssh` instance.

    >>> # Connect to the SSH server
    >>> # Start a process on the server
    >>> shell = ssh('travis', 'example.pwnme', password='******')
    >>> io = gdb.debug(['bash'],
    ...                 ssh = shell,
    ...                 gdbscript = '''
    ... break main
    ... continue
    ... ''')
    >>> # Send a command to Bash
    >>> io.sendline("echo hello")
    >>> # Interact with the process
    >>> io.interactive() # doctest: +SKIP
    >>> io.close()
    if isinstance(
            args, six.integer_types +
        (tubes.process.process, tubes.ssh.ssh_channel)):
        log.error("Use gdb.attach() to debug a running process")

    if isinstance(args, (bytes, six.text_type)):
        args = [args]

    orig_args = args

    runner = _get_runner(ssh)
    which = _get_which(ssh)
    gdbscript = gdbscript or ''

    if context.noptrace:
        log.warn_once("Skipping debugger since context.noptrace==True")
        return runner(args, executable=exe, env=env)

    if ssh or context.native or (context.os == 'android'):
        args = _gdbserver_args(args=args, which=which, env=env)
        qemu_port = random.randint(1024, 65535)
        qemu_user = qemu.user_path()
        sysroot = sysroot or qemu.ld_prefix(env=env)
        if not qemu_user:
                "Cannot debug %s binaries without appropriate QEMU binaries" %
        qemu_args = [qemu_user, '-g', str(qemu_port)]
        if sysroot:
            qemu_args += ['-L', sysroot]
        args = qemu_args + args

    # Use a sane default sysroot for Android
    if not sysroot and context.os == 'android':
        sysroot = 'remote:/'

    # Make sure gdbserver/qemu is installed
    if not which(args[0]):
        log.error("%s is not installed" % args[0])

    if not ssh:
        exe = exe or which(orig_args[0])
        if not (exe and os.path.exists(exe)):
            log.error("%s does not exist" % exe)

    # Start gdbserver/qemu
    # (Note: We override ASLR here for the gdbserver process itself.)
    gdbserver = runner(args, env=env, aslr=1, **kwargs)

    # Set the .executable on the process object.
    gdbserver.executable = exe

    # Find what port we need to connect to
    if context.native or (context.os == 'android'):
        port = _gdbserver_port(gdbserver, ssh)
        port = qemu_port

    host = ''
    if not ssh and context.os == 'android':
        host = context.adb_host

    attach((host, port),

    # gdbserver outputs a message when a client connects
    garbage = gdbserver.recvline(timeout=1)

    # Some versions of gdbserver output an additional message
    garbage2 = gdbserver.recvline_startswith(b"Remote debugging from host ",

    return gdbserver
Beispiel #2
def debug(args, gdbscript=None, exe=None, ssh=None, env=None, **kwargs):
    """debug(args) -> tube

    Launch a GDB server with the specified command line,
    and launches GDB to attach to it.

        args(list): Arguments to the process, similar to :class:`.process`.
        gdbscript(str): GDB script to run.
        exe(str): Path to the executable on disk
        env(dict): Environment to start the binary in
        ssh(:class:`.ssh`): Remote ssh session to use to launch the process.

        :class:`.process` or :class:`.ssh_channel`: A tube connected to the target process


        The debugger is attached automatically, and you can debug everything
        from the very beginning.  This requires that both ``gdb`` and ``gdbserver``
        are installed on your machine.

        When GDB opens via :func:`debug`, it will initially be stopped on the very first
        instruction of the dynamic linker (````) for dynamically-linked binaries.

        Only the target binary and the linker will be loaded in memory, so you cannot
        set breakpoints on shared library routines like ``malloc`` since ````
        has not even been loaded yet.

        There are several ways to handle this:

        1. Set a breakpoint on the executable's entry point (generally, ``_start``)
            - This is only invoked after all of the required shared libraries
              are loaded.
            - You can generally get the address via the GDB command ``info file``.
        2. Use pending breakpoints via ``set breakpoint pending on``
            - This has the side-effect of setting breakpoints for **every** function
              which matches the name.  For ``malloc``, this will generally set a
              breakpoint in the executable's PLT, in the linker's internal ``malloc``,
              and eventaully in ``libc``'s malloc.
        3. Wait for libraries to be loaded with ``set stop-on-solib-event 1``
            - There is no way to stop on any specific library being loaded, and sometimes
              multiple libraries are loaded and only a single breakpoint is issued.
            - Generally, you just add a few ``continue`` commands until things are set up
              the way you want it to be.


        .. code-block:: python

            # Create a new process, and stop it at 'main'
            io = gdb.debug('bash', '''
            break main

            # Send a command to Bash
            io.sendline("echo hello")

            # Interact with the process

        .. code-block:: python

            # Create a new process, and stop it at 'main'
            io = gdb.debug('bash', '''
            # Wait until we hit the main executable's entry point
            break _start

            # Now set breakpoint on shared library routines
            break malloc
            break free

            # Send a command to Bash
            io.sendline("echo hello")

            # Interact with the process

        You can use :func:`debug` to spawn new processes on remote machines as well,
        by using the ``ssh=`` keyword to pass in your :class:`.ssh` instance.

        .. code-block:: python

            # Connect to the SSH server
            shell = ssh('passcode', '', 2222, password='******')

            # Start a process on the server
            io = gdb.debug(['bash'],
            break main

            # Send a command to Bash
            io.sendline("echo hello")

            # Interact with the process
    if isinstance(args, (int, tubes.process.process, tubes.ssh.ssh_channel)):
        log.error("Use gdb.attach() to debug a running process")

    if env is None:
        env = os.environ

    if isinstance(args, (str, unicode)):
        args = [args]

    orig_args = args

    runner = _get_runner(ssh)
    which = _get_which(ssh)
    sysroot = None
    gdbscript = gdbscript or ''

    if context.noptrace:
        log.warn_once("Skipping debugger since context.noptrace==True")
        return runner(args, executable=exe, env=env)

    if ssh or context.native or (context.os == 'android'):
        args = _gdbserver_args(args=args, which=which)
        qemu_port = random.randint(1024, 65535)
        qemu_user = qemu.user_path()
        sysroot = qemu.ld_prefix(env)
        if not qemu_user:
                "Cannot debug %s binaries without appropriate QEMU binaries" %
        args = [qemu_user, '-g', str(qemu_port)] + args

    # Make sure gdbserver/qemu is installed
    if not which(args[0]):
        log.error("%s is not installed" % args[0])

    exe = exe or which(orig_args[0])
    if not exe:
        log.error("%s does not exist" % orig_args[0])
        gdbscript = 'file %s\n%s' % (exe, gdbscript)

    # Start gdbserver/qemu
    # (Note: We override ASLR here for the gdbserver process itself.)
    gdbserver = runner(args, env=env, aslr=1, **kwargs)

    # Set the .executable on the process object.
    gdbserver.executable = which(orig_args[0])

    # Find what port we need to connect to
    if context.native or (context.os == 'android'):
        port = _gdbserver_port(gdbserver, ssh)
        port = qemu_port

    host = ''
    if not ssh and context.os == 'android':
        host = context.adb_host

    attach((host, port),

    # gdbserver outputs a message when a client connects
    garbage = gdbserver.recvline(timeout=1)

    if "Remote debugging from host" not in garbage:

    return gdbserver