GDB Notes — Basics, Navigation & Memory Inspection
These are concise notes on how to use GDB (GNU Debugger) effectively for analyzing ELF binaries and debugging at both C source and assembly levels.
1. Starting GDB
Basic invocation
gdb ./a.out
gdb -q ./program # Quiet mode (no banner)
With arguments
gdb --args ./program arg1 arg2
From inside GDB
(gdb) run arg1 arg2
2. Compiling for Debugging
Compile with the -g flag to include debug symbols:
gcc -g source.c -o prog
This preserves function names, line numbers, and variable mappings for use in GDB.
3. Breakpoints
Breakpoints stop execution at specified points.
Set breakpoints
(gdb) break main # At function
(gdb) break 42 # At line number 42
(gdb) break file.c:25 # In specific file
(gdb) break *0x401050 # At memory address
(gdb) b function_name # Shortcut
Conditional breakpoints
(gdb) break my_func if x == 5
Temporary breakpoint (auto-removes after hit)
(gdb) tbreak main
List / remove / disable breakpoints
(gdb) info breakpoints
(gdb) delete 1
(gdb) disable 2
(gdb) enable 2
4. Running and Controlling Execution
| Command | Alias | Description |
|---|---|---|
run | r | Start or restart program |
continue | c | Continue until next breakpoint |
next | n | Execute next source line (step over functions) |
step | s | Execute next source line, stepping into function calls |
finish | — | Continue until the current function returns |
until <line> | u | Run until a given line |
kill | — | Stop the running program |
quit | q | Exit GDB |
5. Instruction-Level Stepping
When source isn’t available (e.g., stripped ELF), step instruction by instruction:
| Command | Alias | Description |
|---|---|---|
nexti | ni | Next assembly instruction, step over calls |
stepi | si | Step into function calls (1 instruction) |
layout asm | — | Show assembly in TUI mode |
layout src | — | Show C source in TUI |
layout split | — | Split view (C + asm) |
layout next | — | Cycle through available layouts |
You can combine stepi with info registers to trace CPU execution precisely.
6. Viewing Source & Assembly
View source
(gdb) list # Show next 10 lines
(gdb) list 20 # Show 10 lines around line 20
(gdb) list main # List lines in main()
Disassemble functions
(gdb) disassemble main
(gdb) disassemble /s main # Show mixed C + assembly
(gdb) x/i $pc # Show current instruction
🔬 7. Inspecting Registers and Stack
Show registers
(gdb) info registers
(gdb) info registers rax rbx # Specific ones
Stack and frame info
(gdb) backtrace # Show call stack
(gdb) frame 0 # Inspect top frame
(gdb) info frame # Detailed frame info
Function arguments & locals
(gdb) info args
(gdb) info locals
8. Examining Memory
x = examine memory
Format: x/[count][format][size] address
Common examples
(gdb) x/10x 0x555555556010 # 10 words, hex
(gdb) x/16bx $rsp # 16 bytes at stack pointer
(gdb) x/s 0x55555555601c # print string at address
(gdb) x/i $pc # disassemble current instruction
Format options
| Format | Meaning |
|---|---|
x | hexadecimal |
d | decimal |
s | string |
i | instruction |
c | character |
Size options
| Size | Meaning |
|---|---|
b | byte (1) |
h | halfword (2) |
w | word (4) |
g | giant (8) |
Example:
x/8gx $rsp # Examine 8 quadwords (8-byte words)
9. Printing Values and Variables
Print variable or register
(gdb) print i
(gdb) print $rax
Custom output
(gdb) printf "rax = 0x%lx\n", $rax
(gdb) printf "string: %s\n", (char*)$rdi
Expressions
(gdb) print *ptr
(gdb) print *(int*)0x555555556020
10. Inspecting Process State
Show running program
(gdb) info inferiors
Shows the current process under debugging (useful when the program forks).
Inferior means “a process controlled by GDB”.
Switch between multiple inferiors
(gdb) inferior 2
(gdb) focus inferiors 2
11. Common Use Cases
Break at execve to inspect arguments
(gdb) break execve
(gdb) run f
(gdb) printf "path: %s\n", (char*)$rdi
(gdb) x/8gx $rsi
Inspect ELF loaded in memory
(gdb) x/32bx 0x555555554000
(gdb) x/s $rip
Trace function call sequence
(gdb) backtrace
# shows who called the current function
12. TUI (Text User Interface) Shortcuts
| Shortcut | Action |
|---|---|
Ctrl+X A | Toggle TUI mode |
Ctrl+L | Refresh screen |
Ctrl+P / Ctrl+N | Command history navigation |
layout src | C source view |
layout asm | Assembly view |
layout split | Combined view |
layout regs | Show register window |
Ctrl+X 2 | Split horizontally |
13. Inspecting Arguments in Registers (x86-64 SysV ABI)
When debugging system calls or stripped binaries:
| Register | Argument |
|---|---|
| RDI | 1st argument |
| RSI | 2nd |
| RDX | 3rd |
| RCX | 4th |
| R8 | 5th |
| R9 | 6th |
For example, in:
execve(path, argv, envp);
You can check:
(gdb) print (char*)$rdi # path
(gdb) x/8gx $rsi # argv array
(gdb) x/s *$rsi # argv[0] string
14. Miscellaneous Tips
- Run GDB in split layout for simultaneous C + assembly view:
(gdb) layout split - Step at C level with
next/step; switch to asm-level withnexti/stepi. - To dump memory into file:
dump memory /tmp/memdump.bin 0x555555554000 0x555555556000 - To examine the environment:
show environment - To examine dynamically loaded libraries:
info sharedlibrary
Summary Cheat Sheet
| Category | Command | Shortcut | Description |
|---|---|---|---|
| Run | run | r | Start program |
| Continue | continue | c | Resume until breakpoint |
| Next line | next | n | Step over |
| Step in | step | s | Step into function |
| Next instruction | nexti | ni | Step over one instruction |
| Step instruction | stepi | si | Step into instruction |
| Registers | info registers | — | Show CPU registers |
| Memory | x/[n][format][size] addr | — | Examine memory |
| Breakpoint | break <loc> | b | Set breakpoint |
| Delete breakpoint | delete <num> | d | Remove |
| Stack trace | backtrace | bt | Show call stack |
| Disassembly | disassemble /s | — | Show mixed view |
| Quit | quit | q | Exit GDB |
Example Session Recap
$ gdb -q matryoshka
(gdb) break execve
(gdb) run f
(gdb) printf "exec path: %s\n", (char*)$rdi
(gdb) x/8gx $rsi
(gdb) x/s *$rsi
(gdb) info inferiors
(gdb) dump memory /tmp/blob.bin 0x555555556000 0x555555560000