PWNDBG CHEATSHEET HT TPS://PWNDBG.

RE/

GDB COMMANDS PWNDBG COMMANDS:

file <path> pwndbg [<topic>] p2p <mapping_names> [<mapping_names>…] tls

load binary file to debug print info about pwndbg commands pointer to pointer chain search (e.g. p2p stack print thread local storage address
run [<args>…] config libc will look for pointers to libc on the stack)
run program [with args] show pwndbg configuration MISC COMMANDS
xinfo <where>
starti [<args>…] theme show offsets of the specified address from distance <where1> <where2>
start program and stop show pwndbg theme configuration various useful locations compute difference between two addresses
at its very first instruction
tip [--all] patch <where> ’<instructions>…’
print tips that are shown during startup STACK COMMANDS patch given address with given code/bytes
set args <args>…
set program arguments retaddr patch_list
CONTEXT DISPLAY print return addresses on the stack list all applied patches
break <where>
set a breakpoint context [<section>] canary patch_revert <patch>
info breakpoints|threads|regs display context or a given context section print the global stack canary/cookie value revert a patch
list breakpoints/threads/register values (regs, disasm, args, code, stack, backtrace, and finds canaries on the stack
expressions, ghidra, threads) cymbol [...]
delete <breakpoint> add, show, load, edit, or delete custom structures
delete a breakpoint set context-sections [<sect1>] [<sect2>…] NAVIGATION in plain C (so they can be used e.g. with print command)
set context to display only given sections
next xuntil <where> plist [...]
go to next (source) line ctx-watch eval|execute <expression> continue until an address or function dump elements of a linked list (see help plist)
adds a given expression to be shown on context display
step nextcall procinfo
go to next line stepping into functions START COMMANDS continue to next call instruction display process information
ni nextjmp errno [<errno value>]
go to next instruction attachp <pid|name> continue to next jump instruction print libc’s errno error code string
attach to given pid or process by part of its name
si nextret
go to next instruction stepping start [<args>…] continue to next return-like instruction GLIBC HEAP HACKING
into functions run and stop program at the first found symbol from:
main, _main, start, _start, init, _init or entry stepret heap_config
finish step until a ret instruction is found show glibc allocator hacking configuration
run until current function returns entry [<args>…]
run and stop program at its entrypoint address stepuntilasm <asm code> heap
continue step until a given assembly instruction iteratively print chunks on heap (glibc only)
continue program execution sstart [<args>…]
run and stop program at the __libc_start_main function (or mnemonic) is found vis_heap_chunks
print <what> visualize chunks on a heap
evaluate and print an expression LINUX/LIBC/ELF COMMANDS
MEMORY COMMANDS bins
x/format <address> print contents of all arena bins and thread's tcache
examine memory with given format vmmap [<address|name>] checksec
(see help x) display memory mappings information print binary mitigations status find_fake_fast <address>
apropos <topic> [filtered by address or name] piebase find candidate fake fast or tcache chunks
find information about topic search <what> print the relocated binary base address overlapping the specified address
backtrace search memory for a given value got try_free <address>
print backtrace (call stack) telescope <where> [<count>] print symbols in the .got.plt section check what would happen if free was called
up, down examine memory dereferencing valid pointers gotplt with given address
move up/down the call stack print symbols in the .got.plt section
hexdump <where> [<count>]
print hexdump of given address plt
print symbols in the .plt section