You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: FAQ.md
+20-2
Original file line number
Diff line number
Diff line change
@@ -32,6 +32,11 @@ This is the directory where gef temporarily stores files.
32
32
Since it is used for caching, there is no problem in deleting it.
33
33
It will be created automatically the next time gef starts.
34
34
35
+
## Will this GEF work as a plugin for hugsy/gef?
36
+
No, it doesn't work. It replaces hugsy/gef.
37
+
However, compatibility with hugsy/gef has already been lost. You should be considered a completely different product.
38
+
39
+
35
40
## Will each GEF command be more accurate if I have vmlinux with debug symbols?
36
41
No, whether vmlinux includes debug information has no effect on GEF behavior.
37
42
GEF always uses its own resolved address with `kallsyms-remote`.
@@ -41,6 +46,15 @@ It also performs its own heuristic structure member detection in each command.
41
46
No, GEF does not support real mode.
42
47
Please consider using other scripts, such as [here](https://astralvx.com/debugging-16-bit-in-qemu-with-gdb-on-windows/).
43
48
49
+
## Does GEF support Android?
50
+
I've never tried it, so I don't know.
51
+
52
+
I think it will work for userland debugging.
53
+
However, Android does not use glibc, so the heap structure is different.
54
+
Therefore, I think at least `heap` related commands will not work.
55
+
56
+
Regarding kernel debugging, I haven't been able to confirm how much the structure is different.
57
+
44
58
## Is it possible to debug userland with GEF when using qemu-system?
45
59
Partially yes. I think it can be used when you want to track before and after a system call.
46
60
However, if KPTI is enabled, many kernel-related commands cannot be used.
@@ -121,7 +135,7 @@ The `got` command uses `objdump` internally to obtain the PLT address.
121
135
However, with certain combinations of `binutils` and `glibc` versions, `objdump` does not display the PLT address.
122
136
123
137
The currently known combinations are as follows.
124
-
-`binutils 2.38` + `glibc 2.37 or later` (`binutils 2.38` is default of Ubuntu 22.04)
138
+
-`binutils 2.38`(Ubuntu 22.04 default) + `glibc 2.37 or later`
125
139
126
140
This problem occurs when you try to use newer glibc in an Ubuntu 22.04 environment using `patchelf` etc.
127
141
The workaround is to build and install new `binutils` from source code.
@@ -139,7 +153,7 @@ If the mode remains switched due to an interruption during command execution, et
139
153
Yes, you can access by `__LCO__` that means loaded command objects. For example, `pi __LCO__["vmmap"]`.
140
154
141
155
## I want to call the function in `KernelAddressHeuristicFinder` class from `python-interactive`, but the class name is too long and I often forget it.
142
-
Yes, you can access by `KF`. For example.`pi KF.get_slab_caches()`.
156
+
You can access by `KF`. For example,`pi KF.get_slab_caches()`.
143
157
144
158
## How can I get the instruction object?
145
159
You can get instruction object by `pi get_insn(addr=None)`.
@@ -166,6 +180,8 @@ There are also similar functions. Here are the list.
166
180
-`p8`, `p16`, `p32`, `p64`
167
181
-`u8`, `u16`, `u32`, `u64`, `u128`
168
182
183
+
If you want the complete list, run `gef pyobj-list`.
184
+
169
185
170
186
# About development schedule
171
187
@@ -198,6 +214,8 @@ But this is a personal development, so I have the final decision. I appreciate y
198
214
You will need a screenshot or a copy of the terminal string when the problem occurred.
199
215
In addition, I am glad if there are the results of the `version` command and `arch-info` command.
200
216
217
+
Additionally, if the issue is related to kernel debugging, please provide a set of environments (`run.sh`, `bzImage`, `rootfs`, etc.) or where to get them.
0 commit comments