Breaking into a forked child in gdb

Disclaimer: I am a noob at gdb.

To use intel syntax and display the current instruction:

(gdb) set disassembly-flavor intel
(gdb) display/i $pc

Next, setting a breakpoint where 0xdeadbeef is the address of call fork instruction. Get gdb to follow fork child instead of parent, which is the default behaviour. Step over the fork to land in the child process:

(gdb) break *0xdeadbeef
(gdb) run
(gdb) set follow-fork-mode child
(gdb) nexti

Bonus, setting a rwx data breakpoint:

(gdb) awatch *0xbabecafe
(gdb) continue

Now I am not sure which is the greater evil, gdb or windbg…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s