lldb 指令记录

lldb启动程序

lldb直接启动程序

lldb <exebutable>

或者

lldb //进入lldb
•	(lldb) target create <executable>

带参数运行

lldb <executable> [arg0 arg1 ...]

或则

lldb //进入lldb
(lldb) target create <executable>
(lldb) set set target.run-args  arg0 [arg1 ...]

lldb附加程序

lldb attach -p <pid>

lldb分离程序

先按ctr + c暂停程序
再输入q退出

断点

查看断点

br l

函数地址下断

(lldb) breakpoint set -a 函数地址   // 常规断点

在函数名称上下断点

breakpoint set -n <function_name>

在动态加载的dylib打断点
lldb有个非常好的功能，对于动态加载的dylib，就算没加载，你也可以用函数名下断点，当动态库加载时，lldb会自动匹配相应的地址，打上断点

模块断点

基本的思路是找到模块加载的函数load或dlopen 然后打字符串断点

禁用某个断点

首先我们先查看断点

(lldb) br l
Current breakpoints:
1: address = EaseUS Data Recovery Wizard[0x000000010003b8fb], locations = 1
  1.1: where = EaseUS Data Recovery Wizard`-[VideoRepairDetailViewController RepairClicked:withData:] + 51, address = 0x000000010e8cf8fb, unresolved, hit count = 2

上面的断点编号是1.1
然后再禁用断点

breakpint disable <断点编号>

注意函数名称可以按tab键，智能提示

执行流程

启动程序

run

继续运行

c

暂停程序

按ctrl + c

step（源码级步入）

简写：s

源码级别单步执行，遇到子函数则进入。

next（源码级步过）

简写：n

源码级别单步执行，遇到子函数不进入，直接步过。

finish（完成并退出子函数）

完成并退出子函数

查看

查看堆栈

bt

读内存

memory read [起始地址 结束地址]/寄存器 -outfile 输出路径（内存操作）

例子：

(lldb) memory read $rsi

0x00035ebe: 0e 98 07 99 09 68 08 9a 90 47 0c 99 03 90 08 46 .....h...G.....F
0x00035ece: 03 99 01 f0 80 e8 02 22 c0 f2 00 02 41 f2 52 10 ......."....A.R.

(lldb) memory read 0x35f1c 0x35f46 -outfile /tmp/test.txt  // 将内存区域保存到文件

默认情况下，memory read 只能读取 1024字节数据

例如下面的代码就会报错：

(lldb) memory read 0x1000 0x3000 -outfile /tmp/test.txt

error: Normally, 'memory read' will not read over 1024 bytes of data.
解决方法：加－force参数

(lldb) memory read 0x1000 0x3000 -outfile /tmp/test.txt -force
或者:
(lldb) memory read 0x1000 -outfile /tmp/test.txt -count 0x2000 -force
(lldb) memory read $x0(寄存器) -outfile /tmp/test.txt -count 0x2000 -force

读寄存器

register read

写寄存器

register write <REGISTER> <VALUE>

使用函数名称查找函数的地址

image lookup -r -s "<FUNCTION NAME>"

查看模块

 image list

查看某个模块

image list "<MODULE NAME>"

查看某个地址的反汇编

disassemble -s <FUNCTION ADDRESS>

参考资料：https://www.dllhook.com/post/51.html

lldb查看帮助手册

查看帮助概述

(lldb) help
Debugger commands:
  apropos           -- List debugger commands related to a word or subject.
  breakpoint        -- Commands for operating on breakpoints (see 'help b' for shorthand.)
  command           -- Commands for managing custom LLDB commands.
  disassemble       -- Disassemble specified instructions in the current target.  Defaults to the current function for the current thread and stack frame.
  expression        -- Evaluate an expression on the current thread.  Displays any returned value with LLDB's default formatting.
  frame             -- Commands for selecting and examing the current thread's stack frames.
  gdb-remote        -- Connect to a process via remote GDB server.  If no host is specifed, localhost is assumed.
  gui               -- Switch into the curses based GUI mode.
  help              -- Show a list of all debugger commands, or give details about a specific command.
  kdp-remote        -- Connect to a process via remote KDP server.  If no UDP port is specified, port 41139 is assumed.

查看子选项

(lldb) dis help
error: "disassemble" arguments are specified as options.

Command Options Usage:
  disassemble [-bmr] -s <address-expression> [-A <arch>] [-C <num-lines>] [-e <address-expression>] [-F <disassembly-flavor>] [-P <plugin>]
  disassemble [-bmr] -s <address-expression> [-A <arch>] [-C <num-lines>] [-c <num-lines>] [-F <disassembly-flavor>] [-P <plugin>]
  disassemble [-bmr] [-A <arch>] [-C <num-lines>] [-c <num-lines>] [-F <disassembly-flavor>] [-n <function-name>] [-P <plugin>]
  disassemble [-bfmr] [-A <arch>] [-C <num-lines>] [-c <num-lines>] [-F <disassembly-flavor>] [-P <plugin>]
  disassemble [-bmpr] [-A <arch>] [-C <num-lines>] [-c <num-lines>] [-F <disassembly-flavor>] [-P <plugin>]
  disassemble [-blmr] [-A <arch>] [-C <num-lines>] [-F <disassembly-flavor>] [-P <plugin>]
  disassemble [-bmr] [-a <address-expression>] [-A <arch>] [-C <num-lines>] [-F <disassembly-flavor>] [-P <plugin>]

       -A <arch> ( --arch <arch> )
            Specify the architecture to use from cross disassembly.

       -C <num-lines> ( --context <num-lines> )
            Number of context lines of source to show.

       -F <disassembly-flavor> ( --flavor <disassembly-flavor> )
            Name of the disassembly flavor you want to use. Currently the only valid options are default, and for Intel architectures, att and intel.

       -P <plugin> ( --plugin <plugin> )
            Name of the disassembler plugin you want to use.

       -a <address-expression> ( --address <address-expression> )
            Disassemble function containing this address.

       -b ( --bytes )
            Show opcode bytes when disassembling.

       -c <num-lines> ( --count <num-lines> )
            Number of instructions to display.

       -e <address-expression> ( --end-address <address-expression> )
            Address at which to end disassembling.