GDB (GEF / Pwndbg) Cheat Sheet

GNU debugger for binary analysis with GEF or Pwndbg for heap, registers, and exploit-oriented views.

Exploitation & PayloadsbinarydebuggergefpwndbgUpdated 2026-06-02

Overview

GDB debugs native binaries at runtime. GEF (GDB Enhanced Features) and Pwndbg add context panels, heap commands, ROP search, and VMmap — essential for exploit development and crash triage.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y gdb gdb-multiarch

GEF

bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

Pwndbg (alternative — do not load both at once)

git clone https://github.com/pwndbg/pwndbg

cd pwndbg && ./setup.sh

Verify

gdb -q -ex "pi print('gef ok')" -ex quit ./binary 2>/dev/null || true

Essential commands

Start / attach

gdb ./vuln

gdb -q ./vuln -ex 'run $(python3 -c "print(\"A\"*100)")'

gdb -p $(pidof vuln)

Inside GDB (all flavors)

break main

break *0x401234

run

continue

next / step / finish

info registers

x/20gx $rsp

disas main

quit

Common workflows

Find buffer overflow offset —

gdb ./vuln

run < <(python3 -c "from pwn import cyclic; import sys; sys.stdout.buffer.write(cyclic(300))")

Inspect crash context (GEF) —

gdb ./vuln

run

On crash

context                    # regs + stack + code

heap chunks               # glibc heap layout

checksec                  # NX, PIE, Canary, etc.

vmmap

In pwndbg

context

telescope $rsp 20

vmmap

rop --grep "pop rdi"

search -t string "/bin/sh"

got

plt

Target

gdbserver 0.0.0.0:1234 ./vuln

Attacker

gdb ./vuln

target remote 10.10.10.5:1234

continue

Conditional breakpoints —

break *0x4012a0 if $rax == 0x41

commands

silent

printf "hit with rax=%p\n", $rax

continue

end

Flags reference

`start`	Begin at program entry (no main yet)
`starti`	Stop at first instruction
`info breakpoints`	List breakpoints
`delete N`	Remove breakpoint
`watch (long)0x601010`	Break on memory write
`set disable-randomization on`	ASLR off for session
`set follow-fork-mode child`	Trace child after fork
`gef config / pwndbgconfig`	Plugin settings

Tips

Use gdb-multiarch for ARM/MIPS: set architecture arm.
gef-remote / pwndbg + target remote for debugging VMs without symbols on host copy.
pie break *main works when PIE is enabled (GEF).
vmmap before writing exploits — confirm NX and executable regions.
Do not load GEF and Pwndbg together; pick one in ~/.gdbinit.