Pretty Printing
Pretty Printing
libdebug offers utilities to visualize the process's state in a human-readable format and with color highlighting. This can be especially useful when debugging complex binaries or when you need to quickly understand the behavior of a program.
Registers Pretty Printing
There are two functions available to print the registers of a thread: pprint_registers()
and print_registers_all()
. The former will print the current values of the most commonly-interesting registers, while the latter will print all available registers.
Aliases
If you don't like long function names, you can use aliases for the two register pretty print functions. The shorter aliases are pprint_regs()
and print_regs_all()
.
Syscall Trace Pretty Printing
When debugging a binary, it is often much faster to guess what the intended functionality is by looking at the syscalls that are being invoked. libdebug offers a function that will intercept any syscall and print its arguments and return value. This can be done by setting the property pprint_syscalls = True
in the Debugger object or ThreadContext object and resuming the process.
The output will be printed to the console in color according to the following coding:
Format | Description |
---|---|
blue | Syscall name |
red | Syscall was intercepted and handled by a callback (either a basic handler or a hijack) |
yellow | Value given to a syscall argument in hexadecimal |
Syscall was hijacked or a value was changed, the new syscall or value follows the striken text |
Handled syscalls with a callback associated with them will be listed as such. Additionally, syscalls hijacked through the libdebug API will be highlighted as striken through, allowing you to monitor both the original behavior and your own changes to the flow. The id of the thread that made the syscall will be printed in the beginning of the line in white bold.
Memory Maps Pretty Printing
To pretty print the memory maps of a process, you can simply use the pprint_maps()
function. This will print the memory maps of the process in a human-readable format, with color highlighting to distinguish between different memory regions.
Format | Description |
---|---|
underlined | Memory map with read, write, and execute permissions |
red | Memory map with execute permissions |
yellow | Memory map with write permissions |
green | Memory map with read permission only |
white | Memory map with no permissions |
Stack Trace Pretty Printing
To pretty print the stack trace (backtrace) of a process, you can use the pprint_backtrace()
function. This will print the stack trace of the process in a human-readable format.