After loading an executable into gdb, how do I break at the entry point, before the first instruction is executed?
The executable I'm analyzing is a piece of malware that's encrypted so break main
does absolutely nothing.
After loading an executable into gdb, how do I break at the entry point, before the first instruction is executed?
The executable I'm analyzing is a piece of malware that's encrypted so break main
does absolutely nothing.
You can find what functions are called before
int main()
withset backtrace past-main on
and after finding them set a breakpoint on them and restart your program:The
info files
command might give you an address you can break on:"
b _start
" or "b start
" might or might not work. If not, find out the entrypoint address with readelf/objdump and use "b *0x<hex address>
".The no-brainer solution is to use the side-effect of failure to set a breakpoint:
Idea taken from this answer at RE.SE.
Starting with GDB 8.1, there's a special command for this:
starti
. Example GDB session: