1

I came across a question the other day on reddit: How can we use PAGE_GUARD-based memory breakpoints in GDB (not hardware breakpoints)?

Ollydbg, x64dbg and IDA PRO all support these types of breakpoints, but I couldnt find a way in GDB.

If this is not available, is it possible to set the PAGE_GUARD bit manually in GDB?

Improve this question

1 Answer 1

Reset to default
2

According to man mmap

 PROT_NONE The memory cannot be accessed at all. PROT_READ The memory can be read. PROT_WRITE The memory can be modified. PROT_EXEC The memory can be executed.

PROT_NONE will act like a guard page by hitting a SIGSEGV when accessed.

The page with PROT_NONE looks like this in the map during runtime

 0x7ffff7ff7000 0x7ffff7ff8000 ---p 1000 0

gdb allows you to call arbitrary functions in the process space. A simple solution would be to run this under gdb 

print mprotect($address,0x1000,0)

This would set PROT_NONE = 0 permissions on the page and it will act as a guard page. If after hitting SIGSEGV you want to remap the page as rw (PROT_READ|PROT_WRITE)

print mprotect($address,0x1000,3)

If you want to add an extra page mapped as guard page like the page heaps in windows, you can call mmap.

print /a mmap($address+0x1000,0x1000,0,0x22,-1,0)

Here 0x22 is MAP_PRIVATE|MAP_ANONYMOUS

Improve this answer
3
  • Thanks! I am surprised though gdb doesnt offer it directly. Commented Mar 31, 2019 at 8:02
  • Hm, another thing: is there really no way to get the current protection of the page? Otherwise it would be hard to undo the memory-breakpoint and expose me to anti-debugging actions. Commented Mar 31, 2019 at 8:31
  • There's no way to read the protections from any api/syscall. Worst case you can parse /proc/<pid>/maps. Some gdb extensions like pwndbg give a vmmap command which does this. Commented Mar 31, 2019 at 9:18

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.