This is a fork of GEF that includes three major improvements:
- Adds heuristic commands for kernel debugging without requiring a symbolized
vmlinux(forqemu-system, supports Linux kernel 3.x-6.15.x). - Expands support to many architectures (for
qemu-user). - Provides heap dump commands for multiple memory allocators.
Numerous other commands have been added and enhanced. Enjoy!
- Verified on Ubuntu 24.04 and 25.04.
- Expected to work on Ubuntu 22.04-23.10.
- Might work on Ubuntu 20.04-21.10, though not recommended.
- Run the following command (NEW: this is the
uv-based installer).wget -q https://raw.githubusercontent.com/bata24/gef/dev/install-uv.sh -O- | sudo sh - Notes
- To simplify installation,
gef.pyis always installed to/root/.gef/gef.py - The required Python packages are in
/root/.gef/.venv-gef. - GEF's directory (
/root/.gef) is also registered in/root/.gdbinit. - If you want to use a different user or location, move or edit these files manually.
- For more installation options (no
venv, minimal install, and usingvenv + pip), see docs/FAQ.md.
- To simplify installation,
python3 /root/.gef/gef.py --upgrade- Note
- If you get errors after upgrading, it may be due to old config. Try renaming
/root/.gef.rc.
- If you get errors after upgrading, it may be due to old config. Try renaming
rm -rf /root/.gef
rm -f /root/.gef.rc
rm -rf /tmp/gef
sed -i -e '/from gef import/d' /root/.gdbinitPlease refer to install.sh or install-minimal.sh for installation requirements.
- Standard debugging
- Attaching to a running process
- Attaching to a process in an isolated namespace (e.g., attaching from outside a Docker container)
- Connecting to Gdbserver
- Connecting to the GDB stub of Qemu-system
- Connecting to the GDB stub of Qemu-user
- Connecting to the GDB stub of Intel Pin
- Connecting to the GDB stub of Intel SDE
- Connecting to the GDB stub of Qiling framework
- Connecting to the GDB stub of KGDB (requires GDB version 12 or later)
- Connecting to the GDB stub of VMWare
- Connecting to the GDB stub of Wine
- Debugging with Record and replay (
rr replay)
For a comprehensive list and additional details, see docs/SUPPORTED-MODE.md.
pagewalk: scans physical memory, parses page tables, and displays memory maps.- x64 (Supported: 4-Level/5-Level Paging)
- x86 (Supported: PAE/Non-PAE)
- ARM64 (Supported: only Cortex-A, EL0-EL3, stage1-2)
- ARM v8.7 base. 32bit mode is NOT supported.
- Here is a sample of each level pagewalk from HITCON CTF 2018
super_hexagon. - Secure memory scanning is also supported, but you have to break in the secure world.
- Pseudo memory map without detailed flags and permissions can be output even in the normal world (when OP-TEE).
- ARM (Supported: only Cortex-A, LPAE/Non-LPAE, PL0/PL1)
- ARM v7 base. PL2 is NOT supported.
- Secure memory scanning is also supported, and you don't have to break in the secure world (unlike ARM64).
- x64 (Supported: 4-Level/5-Level Paging)
pagewalk-with-hints: prints pagetables with description.v2p/p2v: displays the transformation between virtual addresses and physical addresses.xp: is a shortcut for physical memory dump.qreg: displays the register values from qemu-monitor (allows getting values like$cseven under qemu 2.x).- It is a shortcut for
monitor info registers. - It also prints the details of each bit of the system register when x64/x86.
- It is a shortcut for
sysreg: pretty prints system registers.- It shows
info registersresults, excluding general registers.
- It shows
msr: reads/writes MSR (Model Specific Registers) value by embedding/executing dynamic assembly.- Supported on x64 and x86.
kbase: displays the kernel base address.kversion: displays the kernel version.kcmdline: displays the kernel cmdline used at boot time.kcurrent: displays current task address.ksymaddr-remote: displays kallsyms information from scanning kernel memory.- Supported kernel versions: 3.x to 6.15.x.
ksymaddr-remote-apply/8000 vmlinux-to-elf-apply: applies kallsyms information obtained byksymaddr-remoteorvmlinux-to-elfto gdb.- Once you get a symboled pseudo ELF file, you can reuse and apply it automatically even after rebooting qemu-system.
vmlinux-to-elf-applyandksymaddr-remote-applyprovide almost the same functionality.vmlinux-to-elf-apply: Requires installation of external tools. Createvmlinuxwith symbols.ksymaddr-remote-apply: Requires no external tools. Create a blank ELF with only embedded symbols.
slub-dump: dumps slub free-list.- Supported on x64/x86/ARM64/ARM +
SLUB+ no-symbol + kASLR. - Supported regardless of whether
CONFIG_SLAB_FREELIST_HARDENEDisyorn. - It supports dumping partial pages (
-v) and NUMA node pages (-vv). - Since
page_to_virtis difficult to implement, it will heuristically determine the virtual address from the free-list.
- Supported on x64/x86/ARM64/ARM +
slab-dump: dumps slab free-list.- Supported on x64/x86/ARM64/ARM +
SLAB+ no-symbol + kASLR.
- Supported on x64/x86/ARM64/ARM +
slob-dump: dumps slob free-list.- Supported on x64/x86/ARM64/ARM +
SLOB+ no-symbol + kASLR.
- Supported on x64/x86/ARM64/ARM +
slub-tiny-dump: dumps slub-tiny free-list.- Supported on x64/x86/ARM64/ARM +
SLUB-TINY+ no-symbol + kASLR.
- Supported on x64/x86/ARM64/ARM +
slab-contains: resolves the slab cache (kmem_cache) that a certain address (object) belongs to (forSLUB/SLUB-TINY/SLAB).- For
SLUB/SLUB-TINY, if all chunks belonging to a certainpageare in use, they will not be displayed byslub-dump/slub-tiny-dumpcommand. - Even with such an address (object), this command may be able to resolve
kmem_cache.
buddy-dump: dumps the zone of the page allocator (buddy allocator) free-list.vmalloc-dump: dumpsvmallocused-list and freed-list.page: displays the transformation between astruct pageand its virtual/physical address.- There are shortcuts:
virt2page,page2virt,phys2pageandpage2phys.
kchecksec: checks kernel security.kmagic: displays useful addresses in the kernel.kconfig: dumps the kernel config if available.syscall-table-view: displays the system call table.- It also dumps the ia32/x32 syscall table under x64.
- It also dumps the compat syscall table under ARM64.
ksysctl: dumps the sysctl parameters.ktask: displays each task's address.- It also displays the memory map of the userland process.
- It also displays the register values saved on the kstack of the userland process.
- It also displays the file descriptors of the userland process.
- It also displays the signal handlers of the userland process.
- It also displays the namespaces of the userland process.
- It also displays the seccomp-filter.
kmod: displays each module's address.- It also displays the symbols of each module.
kload: loadsvmlinuxwithout a load address.- It is useful if you have a
vmlinuxwithdebuginfoat hand.
- It is useful if you have a
kmod-load: loads the kernel module without a load address.- It is useful if you have a kernel module with
debuginfoat hand.
- It is useful if you have a kernel module with
kops: displays each operation's member.kcdev: displays information for each character device.kbdev: displays information for each block device.- If there are too many block devices, detection will not be successful.
- This is because block devices are not managed in one place, so I use the list of
bdev_cacheobtained from the slub-dump results.
kfilesystems: dumps supported file systems.kclock-source: dumps the clocksource list.kdmesg: dumps the ring buffer of the dmesg area.kpipe: displays information for each pipe.kbpf: dumps the BPF information.ktimer: dumps the timer.kpcidev: dumps the PCI devices.kipcs: dumps IPCs information (System V semaphore, message queue and shared memory).kdevio: dumps I/O-port and I/O-memory information.kdmabuf: dumps DMA-BUF information.kirq: dumps irq information.knetdev: displays net devices.ksearch-code-ptr: searches for the code pointer in kernel data area.thunk-tracer: collects and displays the thunk function addresses that are called automatically (only x64/x86).- If this address comes from RW area, this is useful for getting RIP.
usermodehelper-tracer: collects and displays the information that is executed bycall_usermodehelper_setup.kmalloc-tracer: collects and displays information whenkmalloc/kfree.kmalloc-allocated-by: calls a predefined set of system calls and prints structures allocated bykmallocor freed bykfree.ktrace: traces kernel functions and arguments.xsm: dumps secure memory when gdb is in normal world.- Supported on ARM64 and ARM.
wsm: writes the value to secure memory when gdb is in normal world.- Supported on ARM64 and ARM.
bsm: sets the breakpoint to secure memory when gdb is in normal world.- Supported on ARM64 and ARM.
optee-break-ta: sets the breakpoint to the offset of OPTEE-Trusted-App when gdb is in normal world.- Supported on ARM64 and ARM.
optee-smc-service-dump: dumps OPTEE SMC services.- Supported on ARM64.
optee-ta-dump: dumps the information of OPTEE-Trusted-Apps from the memory or specified host directory.- Supported on ARM64 and ARM.
optee-shm-list: shows the information of dynamic shared-memory buffers.- Supported on ARM64 and ARM.
pac-keys: pretty prints ARM64 PAC keys.- Supported on ARM64.
uefi-ovmf-info: dumps addresses of some important structures in each boot phase of UEFI when OVMF is used.- Supported on x64.
qemu-device-info: dumps device information for qemu-escape.
si/ni: are wrappers for nativesi/niif OpenRISC 1000 or CRIS.- On OpenRISC 1000 architecture, branch operations don't work well, so GEF uses breakpoints to simulate.
- On CRIS architecture,
stepi/nexticommands don't work well, so GEF uses breakpoints to simulate. - If you want to use native
si/ni, use the full formstepi/nexti.
c: is the wrapper for nativecif gdb is connected toqemu-userorIntel Pin.- When connecting to gdb stub of
qemu-userorIntel Pin, gdb does not trapSIGINTduringcontinue. - If you want to trap, you need to issue
SIGTRAPon theqemu-userorpinside, but switching screens is annoying. - This command realizes a pseudo
SIGTRAPtrap by trappingSIGINTon the Python side and throwingSIGTRAPback toqemu-userorIntel Pin. - It works only for local
qemu-userorIntel Pin. - If you want to use native
c, use the full formcontinue.
- When connecting to gdb stub of
- Glibc heap commands has been improved.
- It changes the color and prints a symbol if it exists.
- They print bins information if the chunk is in free-list.
- Thread arena is supported for all
heapcommands.- Use
-aoption.
- Use
- It supports some new sub-commands.
heap arenasheap topheap bins-simpleheap try-mallocheap try-free- You can also execute any command on the memory status after emulation is completed.
heap try-reallocheap try-callocheap tcache-index-helperheap find-fake-fast: searches for a memory with a size-like value that can be linked to the fastbin free-list.heap extract-heap-addr: analyzes tcache-protected-fd introduced from glibc-2.32.heap calc-protected-fd: calculates a valid value as protected fd.heap visual-heap: is colorized heap viewer.heap tracer: has been integrated fromheap-analysis-helper.
- It changes the color and prints a symbol if it exists.
- uClibc heap commands are added.
uclibc-ng-heap-dump: dumps uClibc-ng heap chunks.- Supported on x64 and x86, based on uClibc-ng v1.0.42 malloc-standard.
- How to test (x64):
- Download and extract
x86-64--uclibc--stable-2024.05-1.tar.bz2from https://toolchains.bootlin.com/ - Add
/PATH/TO/x86_64-buildroot-linux-uclibc/binto$PATH, then build asx86_64-linux-gcc test.c. - Fix interpreter by
patchelf --set-interpreter /PATH/TO/x86_64-buildroot-linux-uclibc/sysroot/lib/ld64-uClibc.so.0 a.out.
- Download and extract
uclibc-ng-visual-heap: is colorized heap viewer for uClibc-ng.
partition-alloc-dump: dumps Partition-Alloc free-list for chromium.- This command is reserved for the implementation of the latest version of Chromium.
- Currently tested: v139.x / 1468821 / 01178c42622d4ffcf6a7b2a974a62d35a231f7b8
- Supported on x64 and ARM64 (maybe it works on x86/ARM too, but not tested).
- It will try heuristic search if the binary has no symbol.
- How to test:
tcmalloc-dump: dumps TCMalloc (gperftools-2.16-1or namedlibgoogle-perftools{4,-dev}) free-list (only x64).- How to test:
- Execute as
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libtcmalloc.so ./a.out.
- Execute as
musl-heap-dump: dumps Musl-Libc v1.2.5 heap chunks (only x64/x86).- How to test:
- Get and extract the latest source from https://musl.libc.org/
- Build with
./configure && make install. - Build as
/usr/local/musl/bin/musl-gcc test.c.
go-heap-dump: dumps Go Language v1.22.2 mheap (only x64).tlsf-heap-dump: dumps TLSF (Two-Level Segregated Fit) v2.4.6 free-list (only x64).- How to test (x64):
- Get and extract the latest source from http://www.gii.upv.es/tlsf/
- Build with
cd TLSF-2.4.6/src && make && cd ../examples && makethen usetest1etc.
hoard-heap-dump: dumps Hoard v3.13 free-list (only x64).- How to test (x64):
- Get and extract the latest source from https://github.com/emeryberger/Hoard
- Build with
cd Hoard/src && make. - Execute as
LD_PRELOAD=/PATH/TO/libhoard.so ./a.out.
mimalloc-heap-dump: dumps mimalloc free-list (only x64).- How to test (x64):
- Get and extract the latest source from https://github.com/microsoft/mimalloc
- Build with
mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Debug .. && make. - Execute as
LD_PRELOAD=/PATH/TO/libmimalloc.so ./a.out.
scalloc-heap-dump: dumps scalloc free-list (only x64).- How to test (x64):
- Get and extract the latest source from https://github.com/cksystemsgroup/scalloc
- Fix the bug with
sed -i -e 's/\(strncat(.*\), 1);/\1, 2);/' src/log.h. - Build with
gyp --depth . scalloc.gyp && make. - Enable overcommit with
echo 1 > /proc/sys/vm/overcommit_memory. - Execute as
LD_PRELOAD=/PATH/TO/libscalloc.so ./a.out.
snmalloc-heap-dump: dumps snmalloc free-list (only x64).- How to test (x64):
- Get and extract the latest source from https://github.com/microsoft/snmalloc
- Build with
mkdir build && cd build && cmake -G Ninja .. -DCMAKE_BUILD_TYPE=Debug && ninja. - Execute as
LD_PRELOAD=/PATH/TO/libsnmallocshim.so ./a.out.
optee-bget-dump: dumps bget allocator of OPTEE-Trusted-App.
vmmap- It displays the memory map information even when connecting to gdb stub of
qemu-user. - It also supports
Intel Pin. - It also supports
Intel SDE. - It is redirected to
pagewalkwhen connecting to gdb stub ofqemu-system. - It supports detection and coloring of
Writable,ReadOnly,NoneandRWXregions. - It shows the area each register points to.
- It displays the memory map information even when connecting to gdb stub of
registers- It also shows raw values of the flag register, the current ring, the exception level, the secure state, etc.
- It also shows raw values of the flag register, the current ring, the exception level, the secure state, etc.
context- It supports automatic display of system call arguments when calling a system call.
- It supports new modes:
context oncontext off
- It supports automatic display of address and value when accessing memory.
- It supports smart symbol printing for C++ function.
- ex:
std::map<int, std::map<int, int>>will be replaced bystd::map<...>. - command:
gef config context.smart_cpp_function_name trueorsmart-cpp-function-name(later is used to toggle).
- ex:
- It supports automatic display of system call arguments when calling a system call.
telescope- It displays ordinal numbers as well as offsets.
- It displays if there are canaries and return addresses in the target area.
- It supports blacklist address features (to avoid dying when touching the address mapped to the serial device).
- It also shows the symbol if available.
- It supports some new options:
--is-addr--is-not-addr--zero--non-zero--tag--uniq--interval--depth--phys--list-head--slab-contains--slab-contains-unaligned
proc-info- It displays some additional information.
- It displays some additional information.
elf-info- It displays Program Header and Section Header.
- It supports parsing from memory.
- It supports parsing remote binary (if download feature is available).
xinfo- It shows more information.
- It also supports kernel debugging.
checksec- It shows additional information.
- Static or Dynamic or Static-PIE
- Stripped or not
- Debuginfo or not
- Intel CET IBT/SHSTK
- ARMv8 PAC, ARMv8 MTE
- RPATH, RUNPATH
- Clang CFI/SafeStack
- System-ASLR, GDB ASLR setting
- It supports parsing remote binary (if download feature is available).
- It shows additional information.
got- It displays not only GOT address but also PLT address.
- It scans
.plt.secsection if Intel CET is enabled. - It can also display the GOT of the library.
- It can also display
type,offset,reloc_arg,sectionandpermission.
- It displays not only GOT address but also PLT address.
canary- It displays all canary positions in memory.
- It displays all canary positions in memory.
edit-flags- It displays the meaning of each bit if
-voption is provided.
- It displays the meaning of each bit if
unicorn-emulate- It reads and writes correctly to the address pointed to by
$fs/$gs. - It supports a new mode to stop after executing N instructions (
-g). - It shows changed memories.
- It supports replacing the GOT of string functions using avx2 or NEON, which unicorn does not support, with slower original functions.
- It reads and writes correctly to the address pointed to by
ropper- It does not reset autocomplete settings after calling imported
ropper.
- It does not reset autocomplete settings after calling imported
hexdump- It supports physical memory if under qemu-system.
- It will retry with adjusting read size if reading memory fails.
- By default, the same line is omitted.
patch- It supports physical memory if under qemu-system.
- Added some new modes:
patch hexpatch patternpatch noppatch infpatch trappatch retpatch syscallpatch historypatch revertpatch range-replace
nopcommand has been integrated intopatchas sub-command.
search-pattern- It is supported under qemu-system (in short, it works without
/proc/self/maps) - It supports some new options:
--hex--hex-regex--aligned--perm--interval--limit--max-region-size--phys
- It also searches for UTF-16 string if target string is ASCII.
- It is supported under qemu-system (in short, it works without
mprotect- Rewritten to use
call-syscall.
- Rewritten to use
hijack-fd- It supports more architectures.
format-string-helper- It supports more
printf-like functions.
- It supports more
theme- Supports many colors.
reset-cache- It has been integrated into
gefas sub-command. - The cache structure within GEF has changed significantly. This command corresponds to them.
- It has been integrated into
tmux-setup- It has been integrated into
gefas sub-command. screenis no longer supported.tmuxsettings are predefined and cannot be customized.- If you want to customize it, edit dev/tmux/tmux_setup.py and run
source /path/to/tmux_setup.py.
- It has been integrated into
pid/tid: prints pid and tid.filename: prints filename.fds: shows opened file descriptors.auxv: pretty prints ELF auxiliary vector.- Supported also under
qemu-user.
- Supported also under
argv/envp: pretty prints argv and envp.dumpargs: dumps arguments of current function.vdso: disassembles the text area of vdso smartly.vvar: dumps the area of vvar.- This area is mapped to userland, but cannot be accessed from gdb.
- Therefore, it executes the assembly code and retrieves the contents.
gdtinfo: pretty prints GDT entries. If userland, show sample entries.idtinfo: pretty prints IDT entries. If userland, show sample entries.tls: pretty prints TLS area. Requires glibc.fsbase/gsbase: pretty prints$fs_base,$gs_base.libc/ld/heapbase/codebase: displays each of the base address.got-all: shows got entries for all libraries.break-rva: sets a breakpoint at relative offset from codebase.command-break: sets a breakpoint which executes user defined command if hit.main-break: sets a breakpoint atmainwith or without symbols, then continue.- This is useful when you just want to run to
mainusingqemu-userorpin, or debugging no-symbol ELF.
- This is useful when you just want to run to
load-break: breaks if something is loaded.regdump-break: sets a breakpoint which dumps specified registers if hit.multi-break: sets multiple breakpoints easily.break-if-taken/break-if-not-taken: sets a breakpoint which breaks if branch is taken (or not taken).distance: calculates the offset from its base address.fpu/mmx/sse/avx/avx512: pretty prints FPU/MMX/SSE/AVX/AVX512 registers.xmmset: sets the value to xmm/ymm/zmm register simply.mmxset: sets the value to mm register simply.exec-until: executes until specified operation.- Supports the following patterns:
- call
- jmp
- syscall
- ret
- indirect-branch (only x64/x86)
- all-branch (call || jmp || ret)
- memory-access (detect just
[...]) - specified-keyword-regex
- specified-condition (expressions using register or memory values)
- user-code
- libc-code
- secure-world
- Supports the following patterns:
call-trace: traces call, ret, and syscall instructions.xuntil: executes until specified address.- It is slightly easier to use than the original until command.
add-symbol-temporary: adds symbol information from command-line.errno: displays errno list or specified errno.u2d: shows cast/convert u64 <-> double/float.unsigned: shows unsigned value.convert: shows various conversion.addressify: converts reverse-order hex values to address.walk-link-list: walks the link list.hexdump-flexible: displays the hexdump with user defined format.hash: calculates various hashes.crc: calculates various CRCs.base-n-decode/base-n-encode: decodes/encodes various baseN.morse-decode/morse-encode: decodes/encodes morse code.saveo/diffo: saves and diffs the command outputs.memcmp: compares the contents of the address A and B, whether virtual or physical.memset: sets the value to the memory range, whether virtual or physical.memcpy: copies the contents from the address A to B, whether virtual or physical.memswap: swaps the contents of the address A and B, whether virtual or physical.meminsert: inserts the contents of the address A to B, whether virtual or physical.strlen: detects the length of the string.is-mem-zero: checks the contents of address range are all 0x00 or 0xff.seq-length: detects consecutive length of the same sequence.strings: searches for ASCII string from specific location.xs: dumps string likex/scommand, but with hex-string style.xc: dumps address likex/xcommand, but with coloring at some intervals.ii: is a shortcut forx/50i $pcwith opcode bytes.- It prints the value if it is memory access operation.
extra: manages user specified command to execute when each step.comment: manages user specified temporary comment.seccomp: invokesseccomp-tools.onegadget: invokesone_gadget.rp: invokesrp++with commonly used options.call-syscall: calls system call with specified values.mmap: allocates a new memory bycall-syscall.killthreads: kills specific or all threads (forpthread).constgrep: invokesgrepunder/usr/include/.proc-dump: dumps each file under/proc/PID/.up/down: are wrappers for nativeup/down.- It shows also backtrace.
time: measures the time of the GDB command.multi-line: executes multiple GDB commands in sequence.cpuid: shows the result of cpuid(eax=0,1,2...).read-system-register: reads system register for oldqemu-system-arm.read-control-register: reads control register for kgdb.capability: shows the capabilities of the debugging process.dasm: disassembles the code by capstone.asm-list: lists instructions. (only x64/x86)- This command uses x86data.js from https://github.com/asmjit/asmdb
syscall-search: searches for system call by regex.dwarf-exception-handler: dumps the DWARF exception handler information.magic: displays useful addresses in glibc etc.dynamic: dumps the_DYNAMICarea.link-map: dumps useful members oflink_mapwith iterating.dtor-dump: dumps some destructor functions list.ptr-mangle: shows the mangled value that will be mangled byPTR_MANGLE.ptr-demangle: shows the demangled value of the value mangled byPTR_MANGLE.search-mangled-ptr: searches for the mangled value from RW memory.follow: changesfollow-fork-modesetting.smart-cpp-function-name: togglescontext.smart_cpp_function_namesetting.ret2dl-hint: shows the structure used by return-to-dl-resolve as hint.srop-hint: shows the code for sigreturn-oriented-programming as hint.sigreturn: displays stack values for sigreturn syscall.smart-memory-dump: dumps all regions of the memory to each file.load-file: loads the file into memory.load-file-mmap: loads the file into memory that allocated bymmap.search-cfi-gadgets: searches for CFI-valid (for CET IBT) and controllable generally gadgets in the executable area.symbols: lists all symbols with coloring.types: lists all types with compaction.dt: makes it easier to useptype /ox TYPEandp ((TYPE*) ADDRESS)[0].- This command is designed for several purposes.
- When displaying very large struct, you may want to go through a pager because the results will not fit on one screen. However, using a pager, the color information disappears. This command calls the pager with preserving colors.
- When
ptype /ox TYPE, interpreting member type recursively often result is too long and difficult to read. This command keeps result compact by displaying only top-level members. - When
p ((TYPE*) ADDRESS)[0]for large struct, the setting ofmax-value-sizeis too small to display. This command adjusts it automatically. - When debugging a binary written in the Golang, the offset information of the type is not displayed. This command also displays the offset.
- When debugging a binary written in the Golang, the
p ((TYPE*) ADDRESS)[0]command will be broken. This is because the Golang helper script is automatically loaded and overwrites the behavior ofpcommand. This command creates the display results on the Python side, so we can display it without any problems.
v8: displays v8 tagged object.- It also loads more commands from latest gdbinit for v8.
cage: displays v8 (especiallyd8) ubercage.mte-tags: displays the MTE tags for the specified address.- Supported on ARM64.
iouring-dump: dumps the area of iouring (only x64).- This area is mapped to userland, but cannot be accessed from gdb.
- Therefore, it executes the assembly code and retrieves the contents.
gef version: shows software versions that GEF uses.gef status: shows architecture information used in GEF.gef reset-breakpoint: shows and resets all breakpoints.gef arch-list: displays defined architecture information.gef pyobj-list: displays defined global Python objects.gef avail-comm-list: displays a list of commands which are available or not for the current architecture and gdb execution mode.gef set-arch: sets a specific architecture to GEF.gef check-update: checks for GEF updates.binwalk-memory: scans memory bybinwalk.filetype-memory: scans memory byfileandmagika.sixel-memory: shows image to terminal byimagemagick.- If you have
pillowandpyzbarinstalled, a barcode detection option is also available.
stdio-dump: dumps members of stdin/stdout/stderr.peek-pageframe: reads page frame data.peek-pageflags: reads page flags of a page frame.angr: finds simple constraints byangr.history: shows gdb command history easily.crc32rev: performs CRC32 reverse calculation limited to ASCII character range.vdump: visualizes memory data like an image.qemu-system-memory-region-dump: dumps memory regions forqemu-system.
- The category is introduced in
gef help. - Combined into one file (from
gef-extra). The following are moved fromgef-extras.current-stack-frame,xref-telescope,bytearray, andbincompare.- This is because a single file is more attractive for me than ease of maintenance.
- The system-call table used by
syscall-argsis moved fromgef-extras.- It was updated up to Linux kernel 6.15 for each architecture.
- Removed some features that I don't use.
$ida-interactgef-remotepiepcustomksymaddrtrace-runshellcode
- Many bug fixes / formatting improvements / usability enhancements (made it easy for me to use).
- See docs/FAQ.md.