GDB to LLDB to WinDbg to HyperDbg Command Map
Below is a table of equivalent debugger commands for the GDB, LLDB, WinDbg (CDB), and HyperDbg debuggers. The original GDB to LLDB page can be found at http://lldb.llvm.org/lldb-gdb.html, and an extension to it is also available at https://dbg.placinta.eu.
This page adds the equivalent HyperDbg commands, with some improvements in all debuggers for developer convenience.
All credit (and many thanks) goes to the original contributors of the documentation and those who add WinDbg extension to it. New commands for HyperDbg will be added to this page over time.
Execution Commands
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Launch a process with no arguments. | |||
| (gdb) run
(gdb) r |
(lldb) process launch
(lldb) run (lldb) r |
(windbg) g | (hyperdbg) g |
Launch a process with arguments <args>. |
|||
| (gdb) run <args>
(gdb) r <args> |
(lldb) process launch -- <args>
(lldb) r <args> |
(windbg) .create <args>; g | (hyperdbg) .start <args> |
| Launch a process with arguments "a.out 1 2 3" without having to supply the args every time. | |||
| % gdb --args a.out 1 2 3
(gdb) run ... (gdb) run ... |
% lldb -- a.out 1 2 3
(lldb) run ... (lldb) run ... |
% cdb -o a.out 1 2 3
(windbg) g ... (windbg) g ... |
(hyperdbg) .start a.out 1 2 3
(hyperdbg) .restart |
| Or: | |||
| (gdb) set args 1 2 3
(gdb) run ... (gdb) run ... |
(lldb) settings set target.run-args 1 2 3
(lldb) run ... (lldb) run ... |
(windbg) .kill
(windbg) .create a.out <args> ... (windbg) g ... |
(hyperdbg) .kill
(hyperdbg) .start a.out <args> ... (hyperdbg) g ... |
| Launch a process with arguments in a new terminal window (Mac OS X only). | |||
| (lldb) process launch --tty -- <args>
(lldb) pro la -t -- <args> |
|||
| Launch a process with arguments in the existing terminal
|
|||
| (lldb) process launch --tty=/dev/ttys006 -- <args>
(lldb) pro la -t/dev/ttys006 -- <args> |
|||
| Print loaded shared libraries when launching application. | |||
| (gdb) set print symbol-loading full
|
(lldb) env DYLD_PRINT_LIBRARIES=1
|
(windbg) lm | (hyperdbg) lm |
| Set environment variables for process before launching. | |||
| (gdb) set env DEBUG 1
|
(lldb) settings set target.env-vars DEBUG=1
(lldb) set se target.env-vars DEBUG=1 (lldb) env DEBUG=1 |
||
| Unset environment variables for process before launching. | |||
| (gdb) unset env DEBUG
|
(lldb) settings remove target.env-vars DEBUG
(lldb) set rem target.env-vars DEBUG |
||
| Show the arguments that will be or were passed to the program when run. | |||
| (gdb) show args
Argument list to give program being debugged when it is started is "1 2 3". |
(lldb) settings show target.run-args
target.run-args (array of strings) = [0]: "1" [1]: "2" [2]: "3" |
(windbg) .shell -ci "!peb" findstr "CommandLine"
|
|
| Set environment variables for the process and launch the process in one command. | |||
| (lldb) process launch -v DEBUG=1
|
|||
| Attach to a process with process ID 123. | |||
| (gdb) attach 123 | (lldb) process attach --pid 123
(lldb) attach -p 123 |
(windbg) .attach 123 | (hyperdbg) .attach 123 |
| Attach to a process named "a.out". | |||
| (gdb) attach a.out | (lldb) process attach --name a.out
(lldb) pro at -n a.out |
% cdb --pn a.out
(No equivalent debugger command.) |
|
| Wait for a process named "a.out" to launch and attach. | |||
| (gdb) attach -waitfor a.out | (lldb) process attach --name a.out --waitfor
(lldb) pro at -n a.out -w |
Create a registry key to automatically attach debugger when process is started.
|
|
| Attach to a remote gdb protocol server running on system "eorgadd", port 8000. | |||
| (gdb) target remote eorgadd:8000 | (lldb) gdb-remote eorgadd:8000 | (hyperdbg) .connect eorgadd 800 (not gdb protocol) | |
| Attach to a remote gdb protocol server running on the local system, port 8000. | |||
| (gdb) target remote localhost:8000 | (lldb) gdb-remote 8000 | ||
| Attach to a Darwin kernel in kdp mode on system "eorgadd". | |||
| (gdb) kdp-reattach eorgadd | (lldb) kdp-remote eorgadd | ||
| Do a source level single step in the currently selected thread. | |||
| (gdb) step
(gdb) s |
(lldb) thread step-in
(lldb) step (lldb) s |
(windbg) t
|
(hyperdbg) t
|
| Do a source level single step over in the currently selected thread. | |||
| (gdb) next
(gdb) n |
(lldb) thread step-over
(lldb) next (lldb) n |
(windbg) p
|
(hyperdbg) p
|
| Instrumentation step in, in which it guarantees that all the other cores and threads remain halted while debuggee is stepping (kernel-to-user and user-to-kernel stepping). | |||
| (hyperdbg) i
| |||
| Do an instruction level single step in the currently selected thread. | |||
| (gdb) stepi
(gdb) si |
(lldb) thread step-inst
(lldb) si |
||
| Do an instruction level single step over in the currently selected thread. | |||
| (gdb) nexti
(gdb) ni |
(lldb) thread step-inst-over
(lldb) ni |
||
| Step out of the currently selected frame. | |||
| (gdb) finish
|
(lldb) thread step-out
(lldb) finish |
(windbg) gu
|
|
| Return immediately from the currently selected frame, with an optional return value. | |||
| (gdb) return <RETURN EXPRESSION>
|
(lldb) thread return <RETURN EXPRESSION>
|
||
| Backtrace and disassemble every time you stop. | |||
| (lldb) target stop-hook add
Enter your stop hook command(s). Type 'DONE' to end. > bt > disassemble --pc > DONE Stop hook #1 added. |
|||
| Run until we hit line 12 or control leaves the current function. | |||
| (gdb) until 12 | (lldb) thread until 12 | (windbg) g `:12` | |
| Change the current operating core to core "1". | |||
| (windbg) ~1s | (hyperdbg) ~ 1 | ||
| Show list of active processes (kernel-debugging). | |||
| (windbg) !process 0 0
|
(hyperdbg) .process list
|
||
| Change the current process memory layout (kernel-debugging). | |||
| (windbg) .process /i 863c22f0
(windbg) g |
(hyperdbg) .process pid 1ddc
(hyperdbg) g (hyperdbg) .process process ffff948cba0eb080 (hyperdbg) g |
||
| Detach from the current target process. | |||
| (gdb) detach | (lldb) detach
(lldb) d |
(windbg) .detach | (hyperdbg) .detach |
| Exit debugger. | |||
| (gdb) quit | (lldb) quit
(lldb) exit |
(windbg) q | (hyperdbg) unload vmm (hyperdbg) exit |
| Quit and detatch from current target process. | |||
| (windbg) qd | (hyperdbg) .detach | ||
Breakpoint Commands
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Set a breakpoint at all functions named main. | |||
| (gdb) break main | (lldb) breakpoint set --name main
(lldb) br s -n main (lldb) b main |
(windbg) bm *!main
|
|
| Set a breakpoint in file test.c at line 12. | |||
| (gdb) break test.c:12 | (lldb) breakpoint set --file test.c --line 12
(lldb) br s -f test.c -l 12 (lldb) b test.c:12 |
(windbg) bp `moduleName!test.c:12`
(windbg) bp `*!test.c:12` |
(hyperdbg) bp `moduleName!functionName`
(source file is not supported) |
| Set a breakpoint at all C++ methods whose basename is main. | |||
| (gdb) break main
(Hope that there are no C functions named main). |
(lldb) breakpoint set --method main
(lldb) br s -M main |
||
| Set a breakpoint at and object C function: -[NSString stringWithFormat:]. | |||
| (gdb) break -[NSString stringWithFormat:]
|
(lldb) breakpoint set --name "-[NSString stringWithFormat:]"
(lldb) b -[NSString stringWithFormat:] |
||
| Set a breakpoint at all Objective C methods whose selector is count. | |||
| (gdb) break count
(Hope that there are no C or C++ functions named count). |
(lldb) breakpoint set --selector count
(lldb) br s -S count |
||
| Set a breakpoint by regular expression on function name. | |||
| (gdb) rbreak regular-expression
|
(lldb) breakpoint set --func-regex regular-expression
(lldb) br s -r regular-expression |
(windbg) bm *!*wildcard-pattern*
|
|
| Ensure that breakpoints by file and line work for #included .c/.cpp/.m files. | |||
| (gdb) b foo.c:12
|
(lldb) settings set target.inline-breakpoint-strategy always
(lldb) br s -f foo.c -l 12 |
(windbg) bp `moduleName!test.c:12`
(windbg) bp `*!test.c:12` |
|
| Set a breakpoint by regular expression on source file contents. | |||
| (gdb) shell grep -e -n pattern source-file
(gdb) break source-file:CopyLineNumbers |
(lldb) breakpoint set --source-pattern regular-expression --file SourceFile
(lldb) br s -p regular-expression -f file |
||
| Set a conditional breakpoint. | |||
| (gdb) break foo if strcmp(y,"hello") == 0
|
(lldb) breakpoint set --name foo --condition '(int)strcmp(y,"hello") == 0'
(lldb) br s -n foo -c '(int)strcmp(y,"hello") == 0' |
(windbg) bp `mysource.cpp:143` "j (poi(MyVar)>0n20) ''; 'gc' "
|
(hyperdbg) !epthook 0x7f349068 script { if (@rax == 0x55) {pause();} }
|
| List all breakpoints. | |||
| (gdb) info break
|
(lldb) breakpoint list
(lldb) br l |
(windbg) bl
|
(hyperdbg) bl
|
| Delete a breakpoint. | |||
| (gdb) delete 1
|
(lldb) breakpoint delete 1
(lldb) br del 1 |
(windbg) bc 1
|
(hyperdbg) bc 1
|
Watchpoint Commands
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Set a watchpoint on a variable when it is written to. | |||
| (gdb) watch global_var | (lldb) watchpoint set variable global_var
(lldb) wa s v global_var |
(windbg) ba w4 global_var
(lldb) wa s v global_var |
(hyperdbg) !monitor w global_var global_var+20
|
| Set a watchpoint on a memory location when it is written into. The size of the region to watch for defaults to the pointer size if no '-x byte_size' is specified. This command takes raw input, evaluated as an expression returning an unsigned integer pointing to the start of the region, after the '--' option terminator. | |||
| (gdb) watch -location g_char_ptr | (lldb) watchpoint set expression -- my_ptr
(lldb) wa s e -- my_ptr |
(windbg) ba w4 0xff349068
|
There is no limitation to size and count of memory access breakpoints in HyperDbg.
(hyperdbg) !monitor rw 0xff349068 0xff349f50 |
| Set a condition on a watchpoint. | |||
| (lldb) watch set var global
(lldb) watchpoint modify -c '(global==5)' (lldb) c ... (lldb) bt * thread #1: tid = 0x1c03, 0x0000000100000ef5 a.out`modify + 21 at main.cpp:16, stop reason = watchpoint 1 frame #0: 0x0000000100000ef5 a.out`modify + 21 at main.cpp:16 frame #1: 0x0000000100000eac a.out`main + 108 at main.cpp:25 frame #2: 0x00007fff8ac9c7e1 libdyld.dylib`start + 1 (lldb) frame var global (int32_t) global = 5 |
(hyperdbg) !monitor w global_var global_var+20 condition { 90 90 90}
|
||
| List all watchpoints. | |||
| (gdb) info break
|
(lldb) watchpoint list
(lldb) watch l |
(windbg) bl
|
(hyperdbg) events
|
| Delete a watchpoint. | |||
| (gdb) delete 1
|
(lldb) watchpoint delete 1
(lldb) watch del 1 |
(windbg) bc 1
|
(hyperdbg) event c 1
|
Examining and Modifying Variables
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Show the arguments and local variables for the current frame. | |||
| (gdb) info args
and (gdb) info locals |
(lldb) frame variable
(lldb) fr v |
(windbg) kp 1
(windbg) dv |
(hyperdbg) kd
(hyperdbg) kq |
| Show the local variables for the current frame. | |||
| (gdb) info locals
|
(lldb) frame variable --no-args
(lldb) fr v -a |
(windbg) dv
|
|
| Show the contents of the local variable "bar". | |||
| (gdb) p bar
|
(lldb) frame variable bar
(lldb) fr v bar (lldb) p bar |
(windbg) dx bar
|
(hyperdbg) dc bar
|
| Show the contents of the local variable "bar" formatted as hex. | |||
| (gdb) p/x bar
|
(lldb) frame variable --format x bar
(lldb) fr v -f x bar |
(windbg) .formats bar
|
(hyperdbg) .formats bar
|
| Show the contents of the global variable "baz". | |||
| (gdb) p baz
|
(lldb) target variable baz
(lldb) ta v baz |
(windbg) dx baz
|
(hyperdbg) dc baz
|
| Show the contents of memory at physical address "0x12000". | |||
| (windbg) db 0x12000
|
(hyperdbg) db 0x12000
|
||
| Search for "H" starting from memory address "0x554000". | |||
| (gdb) find 0x554000 to 0x554fff, 'H'
|
(windbg) s -d 0x554000 Lfff 'H'
|
(hyperdbg) sb 0x554000 l ffff 48
|
|
| Search for "H" starting from physical memory address "0x12000". | |||
| (hyperdbg) !sb 0x12000 l ffff 48
|
|||
| Find the address of the global variable "baz". | |||
| (windbg) x moduleName!baz
|
(hyperdbg) x moduleName!baz
|
||
| Show the global/static variables defined in the current source file. | |||
| (lldb) target variable
(lldb) ta v |
(windbg) dx variable
|
||
| Display the variables "argc" and "argv" every time you stop. | |||
| (gdb) display argc
(gdb) display argv |
(lldb) target stop-hook add --one-liner "frame variable argc argv"
(lldb) ta st a -o "fr v argc argv" (lldb) display argc (lldb) display argv |
||
| Display the variables "argc" and "argv" only when you stop in the function named main. | |||
| (lldb) target stop-hook add --name main --one-liner "frame variable argc argv"
(lldb) ta st a -n main -o "fr v argc argv" |
|||
| Display the variable "*this" only when you stop in c class named MyClass. | |||
| (lldb) target stop-hook add --classname MyClass --one-liner "frame variable *this"
(lldb) ta st a -c MyClass -o "fr v *this" |
|||
| Edit a byte at virtual address "0x2ae4". | |||
| (gdb) set {char}0x2ae4=0x12
|
(lldb) memory write 0x2ae4 0x12
|
(windbg) eb 0x2ae4 0x12
|
(hyperdbg) eb 0x2ae4 0x12
|
| Edit a byte at physical address "0x1200". | |||
| (windbg) !eb 0x1200 0x12
|
(hyperdbg) !eb 0x1200 0x12
|
||
Evaluating expressions
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Evaluating a generalized expression in the current frame. | |||
| (gdb) print (int) printf ("Print nine: %d.", 4 + 5)
or if you don't want to see void returns: (gdb) call (int) printf ("Print nine: %d.", 4 + 5) |
(lldb) expr (int) printf ("Print nine: %d.", 4 + 5)
or using the print alias: (lldb) print (int) printf ("Print nine: %d.", 4 + 5) |
(windbg) .printf "Print nine: %d.", 4 + 5
|
(hyperdbg) ? printf("Print nine: %d.", 4 + 5);
|
| Creating and assigning a value to a convenience variable. | |||
| (gdb) set $foo = 5
(gdb) set variable $foo = 5 or using the print command (gdb) print $foo = 5 or using the call command (gdb) call $foo = 5 and if you want to specify the type of the variable: (gdb) set $foo = (unsigned int) 5 |
In lldb you evaluate a variable declaration expression as you would write it in C:
(lldb) expr unsigned int $foo = 5 |
(windbg) r $t0 = 5
|
for global variables:
(hyperdbg) ? .foo = 5; for local variables: (hyperdbg) ? foo = 5; |
| Printing the ObjC "description" of an object. | |||
| (gdb) po [SomeClass returnAnObject]
|
(lldb) expr -o -- [SomeClass returnAnObject]
or using the po alias: (lldb) po [SomeClass returnAnObject] |
||
| Print the dynamic type of the result of an expression. | |||
| (gdb) set print object 1
(gdb) p someCPPObjectPtrOrReference only works for C++ objects. |
(lldb) expr -d 1 -- [SomeClass returnAnObject]
(lldb) expr -d 1 -- someCPPObjectPtrOrReference or set dynamic type printing to be the default: (lldb) settings set target.prefer-dynamic run-target |
||
| Calling a function so you can stop at a breakpoint in the function. | |||
| (gdb) set unwindonsignal 0
(gdb) p function_with_a_breakpoint() |
(lldb) expr -i 0 -- function_with_a_breakpoint()
|
||
| Calling a function that crashes, and stopping when the function crashes. | |||
| (gdb) set unwindonsignal 0
(gdb) p function_which_crashes() |
(lldb) expr -u 0 -- function_which_crashes()
|
||
Examining Thread State
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| List the threads in your program. | |||
| (gdb) info threads
|
(lldb) thread list
|
(windbg) ~*
|
(hyperdbg) .switch
|
| Select thread 1 as the default thread for subsequent commands. | |||
| (gdb) thread 1
|
(lldb) thread select 1
(lldb) t 1 |
(hyperdbg) .switch tid 1
|
|
| Show the stack backtrace for the current thread. | |||
| (gdb) bt
|
(lldb) thread backtrace
(lldb) bt |
(windbg) k
|
(hyperdbg) k
|
| Show the stack backtraces for all threads. | |||
| (gdb) thread apply all bt | (lldb) thread backtrace all
(lldb) bt all |
(windbg) !uniqstack
|
|
| Backtrace the first five frames of the current thread. | |||
| (gdb) bt 5 | (lldb) thread backtrace -c 5
(lldb) bt 5 (lldb-169 and later) (lldb) bt -c 5 (lldb-168 and earlier) |
||
| Select a different stack frame by index for the current thread. | |||
| (gdb) frame 12 | (lldb) frame select 12
(lldb) fr s 12 (lldb) f 12 |
||
| List information about the currently selected frame in the current thread. | |||
| (lldb) frame info
|
|||
| Select the stack frame that called the current stack frame. | |||
| (gdb) up | (lldb) up
(lldb) frame select --relative=1 |
||
| Select the stack frame that is called by the current stack frame. | |||
| (gdb) down | (lldb) down
(lldb) frame select --relative=-1 (lldb) fr s -r-1 |
||
| Select a different stack frame using a relative offset. | |||
| (gdb) up 2
(gdb) down 3 |
(lldb) frame select --relative 2
(lldb) fr s -r2 (lldb) frame select --relative -3 (lldb) fr s -r-3 |
(hyperdbg) k base @rsp-10
|
|
| Show the general purpose registers for the current thread. | |||
| (gdb) info registers
|
(lldb) register read
|
(windbg) r
|
(hyperdbg) r
|
| Write a new decimal value '123' to the current thread register 'rax'. | |||
| (gdb) p $rax = 123
|
(lldb) register write rax 123
|
(windbg) r rax = 123
|
(hyperdbg) r @rax = 123
|
| Skip 8 bytes ahead of the current program counter (instruction pointer). Note that we use backticks to evaluate an expression and insert the scalar result in LLDB. | |||
| (gdb) jump *$pc+8
|
(lldb) register write pc `$pc+8`
|
(windbg) r rip = rip+8
|
(hyperdbg) r @rip = @rip+8
|
| Show the general purpose registers for the current thread formatted as signed decimal. LLDB tries to use the same format characters as printf(3) when possible. Type "help format" to see the full list of format specifiers. | |||
| (lldb) register read --format i
(lldb) re r -f i LLDB now supports the GDB shorthand format syntax but there can't be space after the command: (lldb) register read/d |
|||
| Show all registers in all register sets for the current thread. | |||
| (gdb) info all-registers
|
(lldb) register read --all
(lldb) re r -a |
(windbg) r
|
(hyperdbg) r
|
| Show the values for the registers named "rax", "rsp" and "rbp" in the current thread. | |||
| (gdb) info all-registers rax rsp rbp
|
(lldb) register read rax rsp rbp
|
(windbg) r rax
(windbg) r rsp (windbg) r rbp |
(hyperdbg) r rax
(hyperdbg) r rsp (hyperdbg) r rbp |
| Show the values for the register named "rax" in the current thread formatted as binary. | |||
| (gdb) p/t $rax
|
(lldb) register read --format binary rax
(lldb) re r -f b rax LLDB now supports the GDB shorthand format syntax but there can't be space after the command: (lldb) register read/t rax (lldb) p/t $rax |
(windbg) .formats rax
|
(hyperdbg) .formats @rax
|
| Read memory from address 0xbffff3c0 and show 4 hex uint32_t values. | |||
| (gdb) x/4xw 0xbffff3c0
|
(lldb) memory read --size 4 --format x --count 4 0xbffff3c0
(lldb) me r -s4 -fx -c4 0xbffff3c0 (lldb) x -s4 -fx -c4 0xbffff3c0 LLDB now supports the GDB shorthand format syntax but there can't be space after the command: (lldb) memory read/4xw 0xbffff3c0 (lldb) x/4xw 0xbffff3c0 (lldb) memory read --gdb-format 4xw 0xbffff3c0 |
(windbg) dc 0xbffff3c0 l4
|
(hyperdbg) dc 0xbffff3c0 l 32
|
| Read memory starting at the expression "argv[0]". | |||
| (gdb) x argv[0]
|
(lldb) memory read `argv[0]`
NOTE: any command can inline a scalar expression result (as long as the target is stopped) using backticks around any expression: (lldb) memory read --size `sizeof(int)` `argv[0]` |
(windbg) dc argv[0]
|
|
| Read 512 bytes of memory from address 0xbffff3c0 and save results to a local file as text. | |||
| (gdb) set logging on
(gdb) set logging file /tmp/mem.txt (gdb) x/512bx 0xbffff3c0 (gdb) set logging off |
(lldb) memory read --outfile /tmp/mem.txt --count 512 0xbffff3c0
(lldb) me r -o/tmp/mem.txt -c512 0xbffff3c0 (lldb) x/512bx -o/tmp/mem.txt 0xbffff3c0 |
||
| Save binary memory data starting at 0x1000 and ending at 0x2000 to a file. | |||
| (gdb) dump memory /tmp/mem.bin 0x1000 0x2000
|
(lldb) memory read --outfile /tmp/mem.bin --binary 0x1000 0x2000
(lldb) me r -o /tmp/mem.bin -b 0x1000 0x2000 |
(windbg) .writemem c:\temp\mem.bin 2000 l1000
|
|
| Get information about a specific heap allocation (available on Mac OS X only). | |||
| (gdb) info malloc 0x10010d680 | (lldb) command script import lldb.macosx.heap
(lldb) process launch --environment MallocStackLogging=1 -- [ARGS] (lldb) malloc_info --stack-history 0x10010d680 |
||
| Get information about a specific heap allocation and cast the result to any dynamic type that can be deduced (available on Mac OS X only). | |||
| (lldb) command script import lldb.macosx.heap
(lldb) malloc_info --type 0x10010d680 |
|||
| Find all heap blocks that contain a pointer specified by an expression EXPR (available on Mac OS X only). | |||
| (lldb) command script import lldb.macosx.heap
(lldb) ptr_refs EXPR |
|||
| Find all heap blocks that contain a C string anywhere in the block (available on Mac OS X only). | |||
| (lldb) command script import lldb.macosx.heap
(lldb) cstr_refs CSTRING |
|||
| Disassemble the current function for the current frame. | |||
| (gdb) disassemble | (lldb) disassemble --frame
(lldb) di -f |
||
| Disassemble any functions named main. | |||
| (gdb) disassemble main | (lldb) disassemble --name main
(lldb) di -n main |
(windbg) u main | (hyperdbg) u main |
| Disassemble an address range. | |||
| (gdb) disassemble 0x1eb8 0x1ec3 | (lldb) disassemble --start-address 0x1eb8 --end-address 0x1ec3
(lldb) di -s 0x1eb8 -e 0x1ec3 |
(windbg) u 0x1eb8 l100 | (hyperdbg) u 0x1eb8 l 100 |
| Disassemble 20 instructions (or 20 bytes) from a given virtual address. | |||
| (gdb) x/20i 0x1eb8 | (lldb) disassemble --start-address 0x1eb8 --count 20
(lldb) di -s 0x1eb8 -c 20 |
(windbg) u 0x1eb8 l20 | (hyperdbg) u 0x1eb8 l 20 |
| Disassemble 20 bytes from a given physical address. | |||
| (windbg) up 0x1000 l20 | (hyperdbg) !u 0x1000 l 20 | ||
| Show mixed source and disassembly for the current function for the current frame. | |||
| (lldb) disassemble --frame --mixed
(lldb) di -f -m |
|||
| Disassemble the current function for the current frame and show the opcode bytes. | |||
| (lldb) disassemble --frame --bytes
(lldb) di -f -b |
|||
| Disassemble the current source line for the current frame. | |||
| (lldb) disassemble --line
(lldb) di -l |
|||
Executable and Shared Library Query Commands
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| List the main executable and all dependent shared libraries. | |||
| (gdb) info shared
|
(lldb) image list
|
(windbg) lm
|
(hyperdbg) lm
|
| Look up information for a raw address in the executable or any shared libraries. | |||
| (gdb) info symbol 0x1ec4
|
(lldb) image lookup --address 0x1ec4
(lldb) im loo -a 0x1ec4 |
(windbg) !address 0x1ec4
|
|
| Look up functions matching a regular expression in a binary. | |||
| (gdb) info function <FUNC_REGEX>
|
This one finds debug symbols:
(lldb) image lookup -r -n <FUNC_REGEX> This one finds non-debug symbols: (lldb) image lookup -r -s <FUNC_REGEX> Provide a list of binaries as arguments to limit the search. |
||
| Find full source line information. | |||
| (gdb) info line 0x1ec4
|
This one is a bit messy at present. Do:
(lldb) image lookup -v --address 0x1ec4 and look for the LineEntry line, which will have the full source path and line range information. |
||
| Look up information for an address in a.out only. | |||
| (lldb) image lookup --address 0x1ec4 a.out
(lldb) im loo -a 0x1ec4 a.out |
|||
Look up information for for a type Point by name. |
|||
| (gdb) ptype Point
|
(lldb) image lookup --type Point
(lldb) im loo -t Point |
||
| Dump all sections from the main executable and any shared libraries. | |||
| (gdb) maintenance info sections
|
(lldb) image dump sections
|
||
| Dump all sections in the a.out module. | |||
| (lldb) image dump sections a.out
|
(windbg) .dump /mfh a.out
|
||
| Dump all symbols from the main executable and any shared libraries. | |||
| (lldb) image dump symtab
|
|||
| Dump all symbols in a.out and liba.so. | |||
| (lldb) image dump symtab a.out liba.so
|
|||
HyperDbg-specific Events
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Classic hidden-hooks using Extended Page-Table (EPT) on a special process. | |||
| (hyperdbg) !epthook 0xbffff3c0 pid 4
|
|||
| Fast hidden hooks (detours) using Extended Page-Table (EPT). | |||
| (hyperdbg) !epthook2 0xbffff3c0
|
|||
| Hook a special system-call. | |||
| (hyperdbg) !syscall 0x55
(hyperdbg) !syscall2 0x55 |
|||
| Hook sysret instructions. | |||
| (hyperdbg) !sysret
(hyperdbg) !sysret2 |
|||
| Monitor for memory access and Memory Mapped I/O (MMIO). | |||
| (hyperdbg) !monitor rw 0xff349068 0xff349f50
|
|||
| Intercept and modify I/O port usage (IN and OUT instructions) on a special port. | |||
| (hyperdbg) !ioin 0x3f8
(hyperdbg) !ioout 0x3f8 |
|||
| Detect reads and writes into a special (0xc0000082) Model-Specific Register (MSR). | |||
| (hyperdbg) !msrread 0xc0000082
(hyperdbg) !msrwrite 0xc0000082 |
|||
| Detect any execution of VMCALLs (Hypercalls). | |||
| (hyperdbg) !vmcall
|
|||
| Detect any execution of CPUID instruction. | |||
| (hyperdbg) !cpuid
|
|||
| Detect any access to debug registers. | |||
| (hyperdbg) !dr
|
|||
| Hook any entries in Interrupt Descriptor Table (IDT). | |||
| For first, 32 entries of IDT: (hyperdbg) !exception 0xe
For IDT entries between 32-256: (hyperdbg) !interrupt 0x2f |
|||
| Intercept any execution of instructions relating to Time Stamp Counters and Performance Counters. | |||
| For RDTSC/RDTSCP:
(hyperdbg) !tsc For RDPMC: (hyperdbg) !pmc |
|||
Kernel-specific Commands
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Read and write into Model-Specific Registers (MSRs). | |||
| (windbg) rdmsr 0xc0000082
(windbg) wrmsr 0xc0000082 fffff8035d3ff000 |
(hyperdbg) rdmsr 0xc0000082
(hyperdbg) wrmsr 0xc0000082 fffff8035d3ff000 |
||
| Convert virtual address to physical address and physical address to virtual address. | |||
| (windbg) !vtop 98fd fffff8035d3ff000
|
Virtual to physical address conversion:
(hyperdbg) !va2pa fffff8035d3ff000 Physical to virtual address conversion: (hyperdbg) !pa2va 80550 | ||
| Try to hide debugger from anti-debugging methods, and microarchitectural timing attacks to the hypervisor. | |||
| (hyperdbg) !measure
(hyperdbg) !measure default (hyperdbg) !hide pid 480 (hyperdbg) !hide name pafish.exe |
|||
| Display page-level address translation and page table entries. | |||
| (windbg) !pte fffff8035d3ff000
|
(hyperdbg) !pte fffff8035d3ff000
|
||
Miscellaneous
| GDB | LLDB | WinDbg / CDB | HyperDbg |
| Search help for a keyword. | |||
| (gdb) apropos keyword
|
(lldb) apropos keyword
|
(windbg) .hh keyword
|
It just shows the command's help: (hyperdbg) .help command
|
| Echo text to the screen. | |||
| (gdb) echo Here is some text\n
|
(lldb) script print "Here is some text"
|
(windbg) .printf "Here is some text"
|
(hyperdbg) ? printf("Here is some text\n");
|
| Show processor information. | |||
| (windbg) !cpuinfo
|
(hyperdbg) cpu
|
||
| Configure symbol server. | |||
| (windbg) .sympath C:\MyApp;srv*C:\symbols
(windbg) .reload /f |
(hyperdbg) .sympath SRV*c:\Symbols
(hyperdbg) .sym reload |
||
| Run a script. | |||
| (gdb) source -v script.txt
|
(lldb) command script import script.py
|
(windbg) $<script.txt (windbg) $><script.txt (windbg) $$<script.txt (windbg) $$><script.txt (windbg) $$>a< "script.txt" "First one" Two "Three More" | (hyperdbg) .script script.txt
|
| Perform output redirection. | |||
| (hyperdbg) output create MyOutputName1 file output.txt
(hyperdbg) output create MyOutputName2 tcp 192.168.1.10:8080 (hyperdbg) output create MyOutputName3 namedpipe \\.\Pipe\HyperDbgOutput (hyperdbg) output open MyOutputName1 (hyperdbg) output open MyOutputName2 (hyperdbg) output open MyOutputName3 (The above outputs can be used in events.) |
|||
| Remap source file pathnames for the debug session. If your source files are no longer located in the same location as when the program was built --- maybe the program was built on a different computer --- you need to tell the debugger how to find the sources at their local file path instead of the build system's file path. | |||
| (gdb) set pathname-substitutions /buildbot/path /my/path
|
(lldb) settings set target.source-map /buildbot/path /my/path
|
||
| Supply a catchall directory to search for source files in. | |||
| (gdb) directory /my/path
|
(No equivalent command - use the source-map instead.)
|
||
| Save the results of the commands into a log file. | |||
| (gdb) set logging on
(gdb) set logging file /tmp/log.txt (gdb) ... (commands) ... (gdb) set logging off |
(It's possible through custom python scripts.)
|
(windbg) .logopen log.txt
(windbg) ... (commands) ... (windbg) .logclose |
(hyperdbg) .logopen log.txt
(hyperdbg) ... (commands) ... (hyperdbg) .logclose |
License
* Last updated at 6th July 2022.
This page is licensed under the standard LLVM License, an open source "BSD-style" license.