Evans debugger (EDB)

Linux assembly debugger with GUI – useful for buffer overflows.

Layout

Assembly instructions of the application
Highlighted in blue: Next instruction to execute		CPU Registers
Memory content (3 columns):
mem addr, data (hex), data (ascii)		Stack content (4 columns):
mem addr, data (hex), data (ascii), comments
Evans Debugger Layout

Start EDB

sudo edb

Open the vulnerable app

*** BEST OPTION *** The application can be restarted from the debugger.

  • Click on menu File->Open
  • Select the application file.
  • Click on Open
  • TO CONFIRM: Specify the program arguments: Click on View->Application Arguments.
  • Click on Debug->Run (twice, depending on the application).

Attach to an existing process

  • Click on File->Attach
  • Enter the process name in the filter textbox to search.
  • Select the process and click on OK.
  • Click on Debug->Run (twice, depending on the application).

Debugging

After opening a file, the execution is paused at entry point which is not necessarily the main function.

Finding the main function

  • TO COMPLETE… 😉

Breakpoints

In the Assembly code window:

  • Right-click on the instruction and click Toggle Breakpoint (F2). TO CONFIRM: Instruction address in the Assembly code window will be highlighted in cyan.
  • Click on Debug->Run (F9) to get to the breakpoint.

Using the Breakpoint Manager:

  • Click on Plugins->BreakpointManager->Breakpoints.
  • Click on Add Breakpoint.
  • Enter the address in format 0x00000000
  • Click OK.
  • Click Close.
  • Click on Debug->Run (F9) to get to the breakpoint.

Debugging

  • Debug->Step into (F7): one instruction at a time, enters in functions
  • Debug->Step over (F8): one instruction at a time, executes the functions (does not enter)
  • Debug->Run (F9): continue the execution flow of the program

Bad Characters

Send all possible characters in the buffer (part for the shellcode) from 0x00 to 0xFF. When the application crashes, right-click on ESP and select Follow in Dump to show the input buffer hex characters in memory.

Go to address in Disassembler window

  • CONFIRM THIS SECTION:
  • Pause execution (if not already paused)
  • Click on the icon of a straight arrow pointing to the right with 4 vertical dots on the right
  • Enter the address in format 0x00000000

Opcode Searcher

When searching for a return address for buffer overflows (for EIP).

Using this plugin, search for a JMP ESP instruction (or any other register).

  • Click on Plugins->OpcodeSearcher->Opcode Search
  • Under Jump Equivalent, select ESP -> EIP.
  • Click on a library to search (memory address must not contain bad chars).
  • Click on Find.