To check the memory layout of a binary in GDB, you can use different commands depending on whether the program is currently running or if you are just inspecting the static binary file.<\/p>\n\n\n\n
The best command to see the virtual memory mappings (including the heap, stack, and loaded libraries) is:<\/p>\n\n\n\n
info proc mappings<\/code><\/pre>\n\n\n\nWhat it shows:<\/strong><\/p>\n\n\n\n\n- Start\/End Addr:<\/strong> The virtual address range.<\/li>\n\n\n\n
- Size:<\/strong> The size of the mapped region.<\/li>\n\n\n\n
- Offset:<\/strong> Offset into the file (if file-backed).<\/li>\n\n\n\n
- Objfile:<\/strong> The specific file backing this memory (e.g.,
\/bin\/bash<\/code>, [heap]<\/code>, [stack]<\/code>, or shared libraries like libc.so<\/code>).<\/li>\n<\/ul>\n\n\n\nExample Output:<\/strong><\/p>\n\n\n\n(gdb) info proc mappings\nprocess 12345\nMapped address spaces:\n\n Start Addr End Addr Size Offset objfile\n 0x555555554000 0x555555558000 0x4000 0x0 \/path\/to\/binary\n 0x555555757000 0x555555758000 0x1000 0x3000 \/path\/to\/binary\n 0x555555758000 0x555555759000 0x1000 0x4000 \/path\/to\/binary\n 0x7ffff7dc0000 0x7ffff7fc0000 0x200000 0x0 [heap]\n 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]<\/code><\/pre>\n\n\n\n2. If the Program is NOT Running (or for Section Headers)<\/h3>\n\n\n\n
If you want to see how the binary’s sections (like .text<\/code>, .data<\/code>, .bss<\/code>) are laid out, use:<\/p>\n\n\n\nmaintenance info sections<\/code><\/pre>\n\n\n\n(Short form: maint info sections<\/code>)<\/em><\/p>\n\n\n\nWhat it shows:<\/strong><\/p>\n\n\n\n\n- A list of all sections from the object file.<\/li>\n\n\n\n
- The memory flags (READONLY, CODE, DATA).<\/li>\n\n\n\n
- File offsets and virtual addresses.<\/li>\n<\/ul>\n\n\n\n
Example Output:<\/strong><\/p>\n\n\n\n(gdb) maint info sections\nExec file: `\/path\/to\/binary', file type elf64-x86-64.\n 0x00400238->0x00400254 at 0x00000238: .interp ALLOC LOAD READONLY DATA HAS_CONTENTS\n 0x00400254->0x00400274 at 0x00000254: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS\n 0x004003e0->0x00400404 at 0x000003e0: .plt ALLOC LOAD READONLY CODE HAS_CONTENTS\n 0x00400410->0x004005c2 at 0x00000410: .text ALLOC LOAD READONLY CODE HAS_CONTENTS<\/code><\/pre>\n\n\n\n3. Alternative: info files<\/code><\/h3>\n\n\n\nThis command provides a summary of the current target file, including the entry point and the memory ranges for each section.<\/p>\n\n\n\n
info files<\/code><\/pre>\n\n\n\nKey Difference:<\/strong> It is less detailed than maint info sections<\/code> regarding flags but is often cleaner if you just want to know where .text<\/code> or .data<\/code> starts and ends.<\/p>\n\n\n\nSummary of When to Use Which<\/h3>\n\n\n\nCommand<\/th> Usage Scenario<\/th><\/tr><\/thead> info proc mappings<\/code><\/strong><\/td>Best for runtime analysis.<\/strong> Shows the real layout including Heap, Stack, and Shared Libs.<\/td><\/tr>maint info sections<\/code><\/strong><\/td>Best for static analysis.<\/strong> Shows binary sections (.text, .bss) exactly as defined in the ELF\/PE header.<\/td><\/tr>info files<\/code><\/strong><\/td>Good general overview of the loaded file and its entry point.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nSet breakpoint at entrypoint<\/h2>\n\n\n\n
To set a breakpoint at the true entry point of a binary (which is before main()<\/code>), you can use one of the following methods depending on your GDB version and whether the binary has symbols.<\/p>\n\n\n\nMethod 1: The One-Liner (Best for GDB 8.1+)<\/h3>\n\n\n\n
If you just want to run the program and stop at the very first instruction immediately, use:<\/p>\n\n\n\n
starti<\/code><\/pre>\n\n\n\n\n- What it does:<\/strong> It acts like
run<\/code> but automatically stops at the first instruction (the entry point).<\/li>\n\n\n\n- Note:<\/strong> This is different from
start<\/code>, which stops at main<\/code>.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nMethod 2: Breaking by Symbol (Standard)<\/h3>\n\n\n\n
For most Linux binaries, the entry point is labeled _start<\/code>. You can simply break there:<\/p>\n\n\n\nbreak _start<\/code><\/pre>\n\n\n\n\n- Why
_start<\/code>?<\/strong> This is the actual assembly entry point that initializes the C runtime (setting up stack, environment) before calling your main<\/code> function.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nMethod 3: Manual Address (If Symbols are Stripped)<\/h3>\n\n\n\n
If the binary is “stripped” (has no symbols) or you want to be precise, you can find the entry point address and break on it explicitly.<\/p>\n\n\n\n
\n- Find the entry point address:<\/strong>
Use the info files<\/code> command inside GDB. (gdb) info files<\/code> Look for the line that says “Entry point: 0x\u2026”<\/strong> at the top of the output.<\/li>\n\n\n\n- Set the breakpoint:<\/strong>
Use the *<\/code> syntax before the address to tell GDB it is a memory location.
gdb (gdb) break *0x401050<\/code>
(Replace 0x401050<\/code> with the actual address you found).<\/em><\/li>\n<\/ol>\n\n\n\nSummary Table<\/h3>\n\n\n\nCommand<\/th> Description<\/th><\/tr><\/thead> starti<\/code><\/strong><\/td>Easiest.<\/strong> Starts program and stops at entry point immediately.<\/td><\/tr>break _start<\/code><\/strong><\/td>Sets a breakpoint at the standard entry label.<\/td><\/tr> break *0x...<\/code><\/strong><\/td>Sets a breakpoint at a raw memory address (requires info files<\/code>).<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nInspect 2\/4\/8 bytes data<\/h2>\n\n\n\n
To inspect memory in specific byte chunks in GDB, you use the x<\/code> (examine) command. The syntax generally looks like this:<\/p>\n\n\n\nx \/<count><format><size> <address><\/code><\/p>\n\n\n\nHere are the specific commands for 2, 4, and 8 bytes.<\/p>\n\n\n\n
1. The Short Answer (Hex format)<\/h3>\n\n\n\n
Assuming you want to look at the address stored in the register $sp<\/code> (stack pointer) or a raw address like 0x400500<\/code>:<\/p>\n\n\n\nData Size<\/th> GDB Suffix<\/th> Command Example<\/th> Explanation<\/th><\/tr><\/thead> 2 Bytes<\/strong><\/td>h<\/code> (Halfword)<\/td>x\/xh $sp<\/code><\/td>Examine 1<\/strong> unit of Hex<\/strong>, size Halfword<\/strong><\/td><\/tr>4 Bytes<\/strong><\/td>w<\/code> (Word)<\/td>x\/xw $sp<\/code><\/td>Examine 1<\/strong> unit of Hex<\/strong>, size Word<\/strong><\/td><\/tr>8 Bytes<\/strong><\/td>g<\/code> (Giant)<\/td>x\/xg $sp<\/code><\/td>Examine 1<\/strong> unit of Hex<\/strong>, size Giant<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n2. Detailed Syntax Explanation<\/h3>\n\n\n\n
The command is broken down as x \/NFS addr<\/code>:<\/p>\n\n\n\n\n- N (Count):<\/strong> How many units to display (e.g.,
1<\/code>, 4<\/code>, 10<\/code>).<\/li>\n\n\n\n- F (Format):<\/strong> How to display the data.\n
\nx<\/code> = Hexadecimal (most common)<\/li>\n\n\n\nd<\/code> = Decimal<\/li>\n\n\n\nu<\/code> = Unsigned Decimal<\/li>\n\n\n\ni<\/code> = Instruction (Assembly)<\/li>\n\n\n\ns<\/code> = String<\/li>\n<\/ul>\n<\/li>\n\n\n\n- S (Size):<\/strong> The size of each unit.\n
\nb<\/code> = Byte (1 byte)<\/li>\n\n\n\nh<\/code> = Halfword (2 bytes)<\/li>\n\n\n\nw<\/code> = Word (4 bytes) (Note: In GDB, a “word” is 4 bytes, unlike x86 assembly where it is often 2).<\/em><\/li>\n\n\n\ng<\/code> = Giant (8 bytes)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n3. Examples<\/h3>\n\n\n\nInspecting 2 Bytes (Halfword)<\/h4>\n\n\n\n
To see the value 0x1234<\/code> located at 0x7fffffffe000<\/code>:<\/p>\n\n\n\n(gdb) x\/1xh 0x7fffffffe000\n0x7fffffffe000: 0x1234<\/code><\/pre>\n\n\n\nInspecting 4 Bytes (Word) in Decimal<\/h4>\n\n\n\n
To see a standard integer (4 bytes) at a variable’s address:<\/p>\n\n\n\n
(gdb) x\/1wd &my_integer\n0x7fffffffe000: 500<\/code><\/pre>\n\n\n\nInspecting multiple 8 Byte (Giant) chunks<\/h4>\n\n\n\n
To see the top 4 values on the stack (64-bit machine):<\/p>\n\n\n\n
(gdb) x\/4xg $sp\n0x7fffffffe100: 0x00000000004005d6 0x00007fffffffe238\n0x7fffffffe110: 0x0000000000000001 0x00007ffff7de59a0<\/code><\/pre>\n\n\n\nAlternative: Using print<\/code> with Casting<\/h3>\n\n\n\nIf you prefer C-style casting over raw memory inspection, you can use the print<\/code> (or p<\/code>) command. This is often useful if you want GDB to handle the types for you.<\/p>\n\n\n\n\n- 2 Bytes:<\/strong>
p *(short *) 0x400500<\/code><\/li>\n\n\n\n- 4 Bytes:<\/strong>
p *(int *) 0x400500<\/code><\/li>\n\n\n\n- 8 Bytes:<\/strong>
p *(long long *) 0x400500<\/code><\/li>\n<\/ul>\n\n\n\n
\n\n\n\nPrint the assembly at the same time executing<\/h2>\n\n\n\n
You can achieve this in three ways. The first is a simple command, the second is a setting, and the third uses GDB’s visual mode.<\/p>\n\n\n\n
Option 1: The display<\/code> Command (Classic)<\/h3>\n\n\n\nThis tells GDB to automatically print an expression every time the program stops (e.g., after every si<\/code>).<\/p>\n\n\n\n\n- Run this command once:
display\/i $pc<\/code>\n\ndisplay<\/code>: Show every time execution stops.<\/li>\n\n\n\n\/i<\/code>: Format as instruction (assembly).<\/li>\n\n\n\n$pc<\/code>: The Program Counter register (current instruction pointer).<\/li>\n<\/ul>\n<\/li>\n\n\n\n- Now, when you type
si<\/code>, GDB will automatically print the next instruction.
text (gdb) si 1: x\/i $pc => 0x40052d <main+4>: sub $0x10,%rsp<\/code><\/li>\n<\/ol>\n\n\n\nTo stop this behavior later, type undisplay<\/code>.<\/em><\/p>\n\n\n\n
\n\n\n\nOption 2: The disassemble-next-line<\/code> Setting (Cleaner)<\/h3>\n\n\n\nNewer versions of GDB have a specific setting for this. It is often cleaner than display<\/code> because it integrates the assembly into the standard stop message.<\/p>\n\n\n\n\n- Run this command:
set disassemble-next-line on<\/code><\/li>\n\n\n\n- Now, when you
si<\/code> (or ni<\/code>), it shows the instruction automatically:
text (gdb) si 0x0000000000401126 4 printf(\"Hello\\n\"); 0x0000000000401126 <+4>: 48 83 ec 10 sub $0x10,%rsp<\/code><\/li>\n<\/ol>\n\n\n\nThis typically shows both the source line (if available) and the assembly instruction.<\/em><\/p>\n\n\n\n