Skip to content

Pretty Printing

Pretty Printing

libdebug offers utilities to visualize the process's state in a human-readable format and with color highlighting. This can be especially useful when debugging complex binaries or when you need to quickly understand the behavior of a program.

Registers Pretty Printing

There are two functions available to print the registers of a thread: pprint_registers() and print_registers_all(). The former will print the current values of the most commonly-interesting registers, while the latter will print all available registers.

Pretty Printing Registers

Aliases

If you don't like long function names, you can use aliases for the two register pretty print functions. The shorter aliases are pprint_regs() and print_regs_all().

Syscall Trace Pretty Printing

When debugging a binary, it is often much faster to guess what the intended functionality is by looking at the syscalls that are being invoked. libdebug offers a function that will intercept any syscall and print its arguments and return value. This can be done by setting the property pprint_syscalls = True in the Debugger object or ThreadContext object and resuming the process.

Syscall Trace PPrint Syntax

d.pprint_syscalls = True
d.cont()

The output will be printed to the console in color according to the following coding:

Format Description
blue Syscall name
red Syscall was intercepted and handled by a callback (either a basic handler or a hijack)
yellow Value given to a syscall argument in hexadecimal
strikethrough Syscall was hijacked or a value was changed, the new syscall or value follows the striken text

Handled syscalls with a callback associated with them will be listed as such. Additionally, syscalls hijacked through the libdebug API will be highlighted as striken through, allowing you to monitor both the original behavior and your own changes to the flow. The id of the thread that made the syscall will be printed in the beginning of the line in white bold.

Pretty Printing Syscalls

Memory Maps Pretty Printing

To pretty print the memory maps of a process, you can simply use the pprint_maps() function. This will print the memory maps of the process in a human-readable format, with color highlighting to distinguish between different memory regions.

Format Description
underlined Memory map with read, write, and execute permissions
red Memory map with execute permissions
yellow Memory map with write permissions
green Memory map with read permission only
white Memory map with no permissions

Pretty Printing Memory Maps

Stack Trace Pretty Printing

To pretty print the stack trace (backtrace) of a process, you can use the pprint_backtrace() function. This will print the stack trace of the process in a human-readable format.

Pretty Printing Stack Trace