Review (#733)

clark-ja · web-flow · commit 5ecaadb0c86b · 2021-09-30T15:20:43.000-07:00
* docs: fix usage for 'functions' cmd

* fix: ksymaddr cmd

- refactor ksymaddr command
- introduce argparse syntax to ksymaddr command
- add warning if process can't resolve kernel symbol addresses
- fix issue when matching symbol wasn't recognized because it was
  compared against the combination of symbol name plus module name
- add note to docs about needed permissions

* feat: add capability to pass multiple commands to gdb helpers as cmd

- refactor: create new CommandType for 'before', 'cmd' and 'after'
- refactor: add whitespace around "="
- refactor: extract method for adding commands to gdb subprocess command
- feat: add capability to pass multiple commands to 'cmd'

* fix: stub cmd

- feat: add -r shortform to argparse syntax
- docs: change LOCATION to address
- docs: update --retval syntax
- docs: fix line length
- tests: upgrade tests from just checking for exceptions to also check
  the functionality of the stub command

* docs: update reset-cache

* fix: pattern command

- docs: update pattern command
- docs: apply markdown lints and remove typo
- feat: set n for pattern cmd to default of current_arch.ptrsize
- args: update pattern command
- remove: pattern.period gef setting
- feat: support 16bit size for struct.patch
- tests: more extensive tests

* docs: update screenshots

* refactor: please linter

* fix: correct some nitpicks

* feat: use argparse syntax for deref cmd

* docs: update deref syntax

* docs: capitalize De Bruijn

* docs: fix code block on docs/index.md
diff --git a/docs/commands/aliases.md b/docs/commands/aliases.md
@@ -90,16 +90,14 @@ g = gef run
 uf = disassemble
 ```
 
-Note that many of these aliases are already supported by `GEF` (e.g. `eb`).
-
 Or here are some `PEDA` aliases for people used to using `PEDA` who made the
 smart move to `GEF`.
 
 ```
 # some peda aliases
 telescope = dereference
 start = entry-break
-stack = dereference $sp 10
+stack = dereference -l 10 $sp
 argv = show args
 kp = info stack
 findmem = search-pattern
diff --git a/docs/commands/functions.md b/docs/commands/functions.md
@@ -1,25 +1,38 @@
 ## Command functions ##
 
-The `functions` command will list all of the [convenience functions](https://sourceware.org/gdb/onlinedocs/gdb/Convenience-Funs.html) provided by GEF.
+The `functions` command will list all of
+the [convenience functions](https://sourceware.org/gdb/onlinedocs/gdb/Convenience-Funs.html)
+provided by GEF.
 
-* `$_base(name=current_file)`     -- Return the base address of the matching section (default current file).
-* `$_bss(offset=0)`    -- Return the current bss base address plus the given offset.
-* `$_got(offset=0)`    -- Return the current bss base address plus the given offset.
-* `$_heap(offset=0)`   -- Return the current heap base address plus an optional offset.
-* `$_stack(offset=0)`  -- Return the current stack base address plus an optional offset.
+- `$_base([filepath])`    -- Return the matching file's base address plus an
+  optional offset. Defaults to the current file. Note that quotes need to be
+  escaped.
+- `$_bss([offset])`       -- Return the current bss base address plus the given
+  offset.
+- `$_got([offset])`       -- Return the current bss base address plus the given
+  offset.
+- `$_heap([offset])`      -- Return the current heap base address plus an
+  optional offset.
+- `$_stack([offset])`     -- Return the current stack base address plus an
+  optional offset.
 
-
-These functions can be used as arguments to other commands to dynamically calculate values.
+These functions can be used as arguments to other commands to dynamically
+calculate values.
 
 ```
-gef&#10148;  deref $_heap() l4
+gef&#10148;  deref -l 4 $_heap()
 0x0000000000602000&#9474;+0x00: 0x0000000000000000	 &larr; $r8
 0x0000000000602008&#9474;+0x08: 0x0000000000000021 ("!"?)
 0x0000000000602010&#9474;+0x10: 0x0000000000000000	 &larr; $rax, $rdx
 0x0000000000602018&#9474;+0x18: 0x0000000000000000
-gef&#10148;  deref $_heap(0x20) l4
+gef&#10148;  deref -l 4 $_heap(0x20)
 0x0000000000602020&#9474;+0x00: 0x0000000000000000	 &larr; $rsi
 0x0000000000602028&#9474;+0x08: 0x0000000000020fe1
 0x0000000000602030&#9474;+0x10: 0x0000000000000000
 0x0000000000602038&#9474;+0x18: 0x0000000000000000
+gef&#10148;  deref -l 4 $_base(\"libc\")
+0x00007ffff7da9000&#9474;+0x0000: 0x03010102464c457f
+0x00007ffff7da9008&#9474;+0x0008: 0x0000000000000000
+0x00007ffff7da9010&#9474;+0x0010: 0x00000001003e0003
+0x00007ffff7da9018&#9474;+0x0018: 0x0000000000027c60
 ```
diff --git a/docs/commands/ksymaddr.md b/docs/commands/ksymaddr.md
@@ -18,3 +18,7 @@ gef&#10148;  ksymaddr commit_creds
 [*] Found partial match for 'commit_creds' at 0xffffffff8fc8d008 (type=r): __kcrctab_commit_creds
 [*] Found partial match for 'commit_creds' at 0xffffffff8fc9bfcd (type=r): __kstrtab_commit_creds
 ```
+
+Note that the debugging process needs to have the correct permissions for this
+command to show kernel addresses. For more information see
+also [this stackoverflow post](https://stackoverflow.com/a/55592796).
diff --git a/docs/commands/pattern.md b/docs/commands/pattern.md
@@ -2,50 +2,64 @@
 
 This command will create or search a [De
 Bruijn](https://en.wikipedia.org/wiki/De_Bruijn_sequence) cyclic pattern to
-facilitate determining offsets in memory.
+facilitate determining offsets in memory. The sequence consists of a number of
+unique substrings of a chosen length.
 
 It should be noted that for better compatibility, the algorithm implemented in
 `GEF` is the same as the one in `pwntools`, and can therefore be used in
 conjunction.
 
-### create
+### create ###
 
-The sub-command `create` allows to create a new pattern:
+```
+pattern create [-h] [-n N] [length]
+```
+
+The sub-command `create` allows one create a new De Bruijn sequence. The
+optional argument `n` determines the length of unique subsequences. Its default
+value matches the currently loaded architecture. The `length` argument sets the
+total length of the whole sequence.
 
 ```
-gef&#10148;  pattern create 128
-[+] Generating a pattern of 128 bytes
+gef&#10148;  pattern create -n 4 128
+[+] Generating a pattern of 128 bytes (n=4)
 aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaab
 [+] Saved as '$_gef0'
 ```
 
-Ths pattern can be used as as input later on. To generate this input, `GEF`
-takes into account the size of architecture (16, 32 or 64 bits), to generate
-it.
-
 The equivalent command with `pwntools` is
+
 ```python
 from pwn import *
 p = cyclic(128, n=8)
 ```
-where `n` is the number of bytes of the architecture (8 for 64 bits, 4 for 32).
 
+### search ###
+
+```
+pattern search [-h] [-n N] [--max-length MAX_LENGTH] [pattern]
+```
+
+The `search` sub-command seeks the `pattern` given as argument, trying to find
+its offset in the De Bruijn sequence. The optional argument `n` determines the
+length of unique subsequences, and it should usually match the length of
+`pattern`. Using `MAX_LENGTH` the maximum length of the sequence to search in
+can be adjusted.
 
-### search
+Note that the `pattern` can be passed as a GDB symbol (such as a register name),
+a string or a hexadecimal value
 
-The `search` sub-command seeks the value given as argument, trying to find it in
-the De Bruijn sequence
 ```
 gef&#10148;  pattern search 0x6161616161616167
 [+] Searching '0x6161616161616167'
 [+] Found at offset 48 (little-endian search) likely
 [+] Found at offset 41 (big-endian search)
-```
-
-Note that registers can also be passed as values:
-```
 gef&#10148;  pattern search $rbp
 [+] Searching '$rbp'
 [+] Found at offset 32 (little-endian search) likely
 [+] Found at offset 25 (big-endian search)
+gef&#10148;  pattern search aaaaaaac
+[+] Searching for 'aaaaaaac'
+[+] Found at offset 16 (little-endian search) likely
+[+] Found at offset 9 (big-endian search)
 ```
diff --git a/docs/commands/reset-cache.md b/docs/commands/reset-cache.md
@@ -1,6 +1,3 @@
 ## Command reset-cache
 
-This is an obsolete function to reset GEF internal memoize cache, which does not
-need to be called from the command line anymore.
-
-This command will disappear soon...
+This command is only useful for debugging `GEF` itself.
diff --git a/docs/commands/stub.md b/docs/commands/stub.md
@@ -4,15 +4,15 @@ The `stub` command allows you stub out functions, optionally specifying the
 return value.
 
 ```
-gef&#10148;  stub [-h] [-r RETVAL] [LOCATION]
+gef&#10148;  stub [-h] [--retval RETVAL] [address]
 ```
 
-`LOCATION` indicates the address of the function to bypass. If not
-specified, gef will consider the instruction at the program counter to be the
+`address` indicates the address of the function to bypass. If not
+specified, `GEF` will consider the instruction at the program counter to be the
 start of the function.
 
-If `-r RETVAL` is provided, gef will set the return value to the provided
-value. Otherwise it will set the return value to 0.
+If `--retval RETVAL` is provided, `GEF` will set the return value to the
+provided value. Otherwise, it will set the return value to 0.
 
 For example, it is trivial to bypass `fork()` calls. Since the return value is
 set to 0, it will in fact drop us into the "child" process. It must be noted
@@ -25,7 +25,9 @@ process into thinking it has become the child.
 Patching `fork()` calls:
 
 * Without stub:
+
 ![fork execution](http://i.imgur.com/TjnTDot.png)
 
 * With stub:
+
 ![stubbed fork](http://i.imgur.com/CllTnRH.png)
diff --git a/docs/commands/vmmap.md b/docs/commands/vmmap.md
@@ -2,7 +2,7 @@
 
 `vmmap` displays the target process's entire memory space mapping.
 
-![vmmap-example](https://i.imgur.com/iau8SwS.png)
+![vmmap](https://i.imgur.com/V9zMLUt.png)
 
 Interestingly, it helps finding secret gems: as an aware reader might have
 seen, memory mapping differs from one architecture to another (this is one of
diff --git a/docs/index.md b/docs/index.md
@@ -145,7 +145,6 @@ To benefit from it:
 ```bash
 # via the install script
 $ bash -c "$(wget https://github.com/hugsy/gef/raw/master/scripts/gef-extras.sh -O -)"
-```
 
 # manually
 # clone the repo
diff --git a/docs/screenshots.md b/docs/screenshots.md
@@ -2,7 +2,6 @@
 
 <!-- @import "[TOC]" {cmd="toc" depthFrom=1 depthTo=6 orderedList=false} -->
 
-
 This page illustrates a few of the possibilities available to you when using `GEF`.
 
 ## Multi-architecture support
@@ -18,69 +17,56 @@ Currently `GEF` supports the following architectures:
  - PowerPC
  - SPARC/SPARCv9
 
-
 ## Features
 
 ### Embedded hexdump view
 
 To this day, GDB doesn't come with a hexdump-like view. Well `GEF` fixes that for you via the `hexdump` command:
 
-![hexdump](https://i.imgur.com/mJUq6T2.png)
-
+![hexdump](https://i.imgur.com/qt77lFQ.png)
 
 ### Dereferencing data or registers
 
 No more endless manual pointer dereferencing `x/x` style. Just use `dereference` for that. Or for a comprehensive view of the registers, `registers` might become your best friend:
 
 ![mipsel-deref-regs](https://i.imgur.com/f5ZaWDC.png)
 
-
 ### Heap analysis
 
 #### Detailed view of Glibc Chunks
 
 ![x86-heap-chunks](https://i.imgur.com/zBSTUHb.png)
 
-
 #### Automatic detection of UaF during runtime
 
 ![x86-heap-helper-uaf](https://i.imgur.com/NfV5Cu9.png)
 
-
 ### Display ELF information
 
 #### ELF structure
 
-![arm-elf-info](https://i.imgur.com/qOL8CnL.png)
-
+![elf-info](https://i.imgur.com/AkWhJ3t.png)
 
 #### Security settings
 
-![mips-elf-checksec](https://i.imgur.com/aanY2uK.png)
-
+![elf-checksec](https://i.imgur.com/HXcwr2S.png)
 
 ### Automatic vulnerable string detection
 
 ![aarch64-fmtstr](https://i.imgur.com/iF4l1R5.png)
 
-
 ### Code emulation with Unicorn-Engine (x86-64)
 
-![x86-unicorn](https://i.imgur.com/emhEsol.png)
-
+![emu](https://i.imgur.com/n4Oy5D0.png)
 
 ### Comprehensive address space layout display
 
-![mips-vmmap](https://i.imgur.com/TbC1kNa.png)
-
+![vmmap](https://i.imgur.com/V9zMLUt.png)
 
 ### Defining arbitrary custom structures
 
 ![sparc-arb-struct](https://i.imgur.com/dEMUuP7.png)
 
-
 ### Highlight custom strings
 
 ![highlight-command](https://i.imgur.com/UwSPXrV.png)
-
-
diff --git a/gef.py b/gef.py
diff --git a/tests/helpers.py b/tests/helpers.py
diff --git a/tests/runtests.py b/tests/runtests.py
