Command gef-remote
It is possible to use gef
in a remote debugging environment. Required files
will be automatically downloaded and cached in a temporary directory (/tmp/gef
on most
Unix systems). Remember to manually delete the cache if you change the target file or
gef
will use the outdated version.
With a local copy
If you want to remotely debug a binary that you already have, you simply need to
tell to gdb
where to find the debug information.
For example, if we want to debug uname
, we do on the server:
$ gdbserver 0.0.0.0:1234 /bin/uname
Process /bin/uname created; pid = 32280
Listening on port 1234
And on the client, simply run gdb
:
$ gdb /bin/uname
gef➤ target remote 192.168.56.1:1234
Process /bin/uname created; pid = 10851
Listening on port 1234
Or
$ gdb
gef➤ file /bin/uname
gef➤ target remote 192.168.56.1:1234
Without a local copy
It is possible to use gdb
internal functions to copy our targeted binary.
Following our previous example, if we want to debug uname
, run gdb
and
connect to our gdbserver
. To be able to locate the right process in the
/proc
structure, the command gef-remote
requires 1 argument, the target
host and port. The option -p
must be provided and indicate the process PID
on the remote host, only if the extended mode (-E
) is being used.
$ gdb
gef➤ gef-remote 192.168.56.1:1234
[+] Connected to '192.168.56.1:1234'
[+] Downloading remote information
[+] Remote information loaded, remember to clean '/tmp/gef/10851' when your session is over
As you can observe, if it cannot find the debug information, gef
will try to
automatically download the target file and store in the local temporary
directory (on most Unix /tmp
). If successful, it will then automatically load
the debug information to gdb
and proceed with the debugging.
You can then reuse the downloaded file for your future debugging sessions, use it under IDA and such. This makes the entire remote debugging process (particularly for Android applications) a child's game.
QEMU-user mode
Although GDB through QEMU-user works, QEMU only supports a limited subset of all
commands existing in the gdbremote
protocol. For example, commands such as
remote get
or remote put
(to download and upload a file from remote target,
respectively) are not supported. As a consequence, the default remote
mode
for gef
will not work either, as gef
won't be able to fetch the content of
the remote procfs.
To circumvent this and still enjoy gef
features with QEMU-user, a simple stub
can be artificially added, with the option -q
option of gef-remote
. Note
that you need to set the architecture properly first:
$ qemu-arm -g 1234 ./my/arm/binary
$ gdb-multiarch ./my/arm/binary
gef➤ set architecture arm
gef➤ gef-remote -q localhost:1234