edb-debugger
edb-debugger copied to clipboard
eteran
Breakpoint on api call
is there an option to do BPX
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Not explicitly. However, if the binary isn't stripped and has symbols for malloc, you can find the malloc function and place a breakpoint on it using the symbol viewer.
Having a more streamlined interface to do this kind of thing would be a good idea though.
If the binary uses malloc from libc, then it doesn't even need symbols. The function can be found using the Symbols dialog. On my system it's called libc-2.27.so!malloc.
If the binary uses
mallocfromlibc, then it doesn't even need symbols. The function can be found using the Symbols dialog. On my system it's calledlibc-2.27.so!malloc.
I understand, but what if a program is using some kind of a packer (UPX for example)? anyway, I reverse a lot with X64dbg and the option to just run a simple command like "bpx virtualalloc" is really nice and good to have.
How is being packed related to setting a breakpoint? Do you mean dynamically set breakpoint on a symbol when a shared library is loaded (like GDB's break command can)?
For example, if you use the flag challenge from pwnable.kr (http://pwnable.kr/bin/flag) then you get a packed ELF file with UPX, it is calling after it's unpacked to malloc and strcpy functions. you won't see them at symbol viewer so it will be nice if you had option to create a breakpoint on those functions once they are loaded using bpx malloc/strcpy.
Well, it won't help you with this flag. This binary doesn't load any libraries, so what you really need is to catch system calls.
I don't remember whether EDB can do this though. GDB definitely can (see help catch syscall in GDB command line). So can strace (well, it's its main objective :) ).
If EDB can't yet (@eteran, can it?) it's worth implementing. ptrace has special continuation mode PTRACE_SYSCALL.
We've discussed adding a "step until the next system call" function to edb a while ago, and I like the idea. We could even make it only trap on specific system calls.
Unfortunately, that won't help too much for things like malloc as they call brk to acquire large chunks of system memory on an as-needed basis and don't need to do this on most calls.