Examine/display memory and register in gdb

This is going to be a small demonstration or ‘tip’ to analyse registers and memory via gdb when debugging a program . These commands are pretty much useful when debugging a program. It has its own use cases..

Examine registers:

$info registers is the command which can be used to see current register values at the moment from  gdb prompt. Below command can be used as a short cut to view registers:

(gdb) i r
rax            0x1    1
rbx            0x7fff955a9df0    140735699131888
rcx            0xffffffffffffffff    -1
rdx            0x7fff955a9e70    140735699132016
rsi            0x7fff955a9df0    140735699131888
rdi            0x16    22
rbp            0x7fff955a9e70    0x7fff955a9e70
rsp            0x7fff955a9dc0    0x7fff955a9dc0
r8             0x7fff955a9dd0    140735699131856
r9             0x1    1
r10            0x7fff955a9ef0    140735699132144
r11            0x293    659
r12            0x7fff955a9ef0    140735699132144
r13            0x0    0
r14            0x1    1
r15            0x0    0
rip            0x37e78da373    0x37e78da373
eflags         0x293    [ CF AF SF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0

Register information can be fetched individually . For ex: “Stack pointer” and “Instruction pointer” information can be fetched by:

(gdb) i r $sp
sp: 0x7fff955a9dc0
(gdb) i r $rip
rip            0x37e78da373    0x37e78da373

Examining memory :

This is pretty much useful when debugging a program:

“x” is the command which can be used for the same purpose.. The general format of ‘x’ command as shown here.

(gdb) help x

Examine memory: x/FMT ADDRESS. 

ADDRESS is an expression for the memory address to examine.
FMT is a repeat count followed by a format letter and a size letter.
Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal),
t(binary), f(float), a(address), i(instruction), c(char) and s(string).
Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
The specified number of objects of the specified size are printed
according to the format.

Defaults for format and size letters are those previously used.
Default count is 1.  Default address is following last thing printed
with this command or “print”.

In short :

o – octal
d – decimal
x – hexadecimal
u – unsigned integer
s – string
t – binary

b – byte
h – half
w – word
g – double word

Example use of ‘x’ command:

“3” words of memory ‘above’ stack pointer can be displayed by:  

But why I used “above” here ? ‘Ans’: It is home work/assignment for you 🙂

(gdb) x/3xw $sp
0x7fff955a9dc0:    0x00000000    0x00000000    0x0041ecb1

“2” machine instructions from 0x37e78da373/eip

(gdb) x/2i 0x37e78da373
=> 0x37e78da373 :    mov    (%rsp),%rdi
0x37e78da377 :    mov    %rax,%rdx

To display a string you can use: ‘ I selected a random address’ , so it may not give a human readable example string as output.

(gdb) x/s 0x0041ecb1
0x41ecb1:     “A\211\307藟\001”

Hope this helps ..

Leave a Reply

Your email address will not be published. Required fields are marked *