Menu
After loading an executable into gdb, how do I break at the entry point, before the first instruction is executed?
The executable I'm analyzing is a piece of malware that's encrypted so break main does absolutely nothing.
802
To exit GDB, use the quit command (abbreviated q ), or type an end-of-file character (usually C-d ). If you do not supply expression , GDB will terminate normally; otherwise it will terminate using the result of expression as the error code.
gdb will stop your program at whatever line it has just executed. From here you can examine variables and move through your program. To specify other places where gdb should stop, see the section on breakpoints below.
If the target environment supports it, gdb can allow you to “rewind” the program by running it backward. A target environment that supports reverse execution should be able to “undo” the changes in machine state that have taken place as the program was executing normally.
Description. This command continues execution of the current function until it returns to its caller.
Starting with GDB 8.1, there's a special command for this: starti. Example GDB session:
$ gdb /bin/true Reading symbols from /bin/true...(no debugging symbols found)...done. (gdb) starti Starting program: /bin/true Program stopped. 0xf7fdd800 in _start () from /lib/ld-linux.so.2 (gdb) x/5i $pc => 0xf7fdd800 <_start>: mov eax,esp 0xf7fdd802 <_start+2>: call 0xf7fe2160 <_dl_start> 0xf7fdd807 <_dl_start_user>: mov edi,eax 0xf7fdd809 <_dl_start_user+2>: call 0xf7fdd7f0 0xf7fdd80e <_dl_start_user+7>: add ebx,0x1f7e6 The info files command might give you an address you can break on:
(gdb) info files ... Entry point: 0x80000000 ... (gdb) break *0x80000000 (gdb) run If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
