Query debugger events recorded for a session.

Returns events such as breakpoint hits, signals, crashes, and process exits detected during command execution or by the background monitor.

Args: session_id: The UUID of the session. limit: Maximum number of events to return (default 50). event_type: Filter by event type (e.g. "breakpoint_hit", "signal", "crash", "exited", "stopped"). None returns all types.

Start the background event monitor for a session.

The monitor watches for asynchronous debugger events (breakpoint hits, signals, crashes) between tool calls. Events are recorded in the session's event log and trigger MCP resource-updated notifications.

This is optional — all core debugging functionality works without the monitor. The monitor is useful for long-running programs where events may occur outside of active tool calls.

Args: session_id: The UUID of the session.

Stop the background event monitor for a session.

Args: session_id: The UUID of the session.

Start a new LLDB session with pwndbg loaded.

Spawns an LLDB process, optionally loads pwndbg via command script import, and returns a session ID for subsequent commands.

Args: lldb_path: Path to the LLDB binary (default: "lldb"). working_dir: Working directory for the session. pwndbg_path: Path to pwndbg's lldbinit.py entry point. If provided, pwndbg will be loaded automatically via command script import.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/dbg/lldb/

Terminate a pwndbg session and free all resources.

Args: session_id: The UUID of the session to terminate.

List all active pwndbg sessions with their IDs, targets, and working directories.

Execute an arbitrary LLDB or pwndbg command (escape hatch).

Use this for any command not exposed as a dedicated tool. Both native LLDB commands and pwndbg-registered commands are supported.

Args: session_id: The UUID of the session. command: The full command string to execute.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/dbg/lldb/

Load a program into the debugger.

Sets the target executable and optional arguments. The program path is resolved relative to the session's working directory if not absolute.

Args: session_id: The UUID of the session. program: Path to the executable. arguments: Optional list of program arguments.

Attach to a running process by PID.

Args: session_id: The UUID of the session. pid: Process ID to attach to.

Load a core dump file for post-mortem analysis.

Args: session_id: The UUID of the session. program: Path to the executable that generated the core. core_path: Path to the core dump file.

Run the loaded program from the beginning.

Blocks until the process stops (breakpoint, signal, exit) or times out. Streams intermediate debugger output as MCP progress/log notifications.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait for the process to stop (default 30).

Start the program and stop at its ELF entry point address.

pwndbg command: entry Source: pwndbg/commands/start.py Category: Start

Unlike 'start' (GDB-only), 'entry' works on LLDB. It sets a temporary breakpoint at the binary's entry point and runs.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

Continue program execution until the next breakpoint or exit.

Blocks until the process stops or times out. Streams intermediate debugger output as MCP progress/log notifications.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait for the process to stop (default 30).

Step into the next source line or instruction.

Args: session_id: The UUID of the session. instructions: If True, step a single machine instruction (si) instead of a source line (s).

Step over the next source line or instruction (does not enter calls).

Args: session_id: The UUID of the session. instructions: If True, step over a single machine instruction (ni) instead of a source line (n).

Execute until the current function returns.

Blocks until the function returns or times out. Streams intermediate debugger output as MCP progress/log notifications.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

Kill the running process.

Args: session_id: The UUID of the session.

Break at the next jump instruction.

pwndbg command: nextjmp (alias: nextjump) Source: pwndbg/commands/next.py Category: Step/Next/Continue

Continues execution until the next jump-type instruction (jmp, je, jne, etc.) is reached, which is useful for tracing control flow decisions.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Break at the next call instruction, optionally filtered by symbol regex.

pwndbg command: nextcall Source: pwndbg/commands/next.py Category: Step/Next/Continue

Args: session_id: The UUID of the session. symbol_regex: Optional regex to match the call target symbol name. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Break at the next return-like instruction (ret, retf, iret, sysret).

pwndbg command: nextret Source: pwndbg/commands/next.py Category: Step/Next/Continue

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Step to the next return instruction (single-steps until ret is found).

pwndbg command: stepret Source: pwndbg/commands/next.py Category: Step/Next/Continue

Unlike nextret which sets a breakpoint, this command single-steps through every instruction until a return instruction is reached.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Break at the next instruction belonging to the running program.

pwndbg command: nextproginstr Source: pwndbg/commands/next.py Category: Step/Next/Continue

Useful for skipping over library code to reach the next instruction that belongs to the main binary.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Set a breakpoint on the instruction after the current one and continue.

pwndbg command: stepover (alias: so) Source: pwndbg/commands/next.py Category: Step/Next/Continue

This is pwndbg's enhanced step-over that works at the instruction level by setting a breakpoint on the next instruction address.

Args: session_id: The UUID of the session. addr: Optional address to step over at (defaults to current PC). timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Break at the next syscall instruction (without taking branches).

pwndbg command: nextsyscall (alias: nextsc) Source: pwndbg/commands/next.py Category: Step/Next/Continue

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Step to the next syscall instruction (follows branches).

pwndbg command: stepsyscall (alias: stepsc) Source: pwndbg/commands/next.py Category: Step/Next/Continue

Unlike nextsyscall, this follows branches by single-stepping through all instructions until a syscall is found.

Args: session_id: The UUID of the session. timeout: Maximum seconds to wait (default 30).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Step until a specific assembly instruction is reached.

pwndbg command: stepuntilasm Source: pwndbg/commands/next.py Category: Step/Next/Continue

Single-steps until an instruction matching the given mnemonic (and optionally operand string) is found. This can be slow, so the default timeout is 60s.

Args: session_id: The UUID of the session. mnemonic: The instruction mnemonic to match (e.g. "syscall", "call", "mov"). op_str: Optional operand string to match. timeout: Maximum seconds to wait (default 60).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/next/

Set a breakpoint at the given location, optionally with a condition.

Args: session_id: The UUID of the session. location: Function name, address, or file:line to break at. condition: Optional condition expression for the breakpoint.

List all breakpoints in the current session.

Args: session_id: The UUID of the session.

Delete a breakpoint by its ID number.

Args: session_id: The UUID of the session. breakpoint_id: The numeric breakpoint ID to delete.

Set a breakpoint with full control over address, module, auto-continue, and naming.

Supports all common breakpoint styles:

• By function name: name="CreateXmlReader"

• By address: address="0x10027cacc"

• By module+offset: module="Xmllite", offset="0x3cf8"

• By file+line: address="file.c:42"

Args: session_id: The UUID of the session. address: Address or file:line expression. Mutually exclusive with name. name: Symbol name to break on. Mutually exclusive with address. module: Restrict breakpoint to this module (e.g., "Xmllite"). offset: Module-relative offset (hex string). Requires module to be set. auto_continue: If True, breakpoint auto-continues (counts hits without stopping). bp_name: Assign a human-readable name to the breakpoint for later reference. condition: Optional condition expression (breakpoint only fires if true). one_shot: If True, breakpoint is deleted after first hit.

List all breakpoints with structured, machine-parseable output.

Returns a JSON-formatted list of breakpoints, each with: id, name, address, module, resolved, hit_count, auto_continue, enabled

This is more reliable than parsing raw breakpoint list text output, especially for module-relative breakpoints which have inconsistent formatting across lldb versions.

Args: session_id: The UUID of the session.

Execute multiple LLDB/pwndbg commands sequentially in a single call.

This avoids multiple MCP round-trips for setup operations like setting several breakpoints, configuring settings, or running a sequence of inspection commands.

Args: session_id: The UUID of the session. commands: List of command strings to execute in order.

Returns: Combined output from all commands, with clear separators.

Run or continue the program and block until it stops or exits.

Waits until the process reaches a stopped state (breakpoint, crash, signal) or exits, then returns the stop reason along with register context. Streams intermediate debugger output as MCP progress/log notifications so the client can observe execution in real-time.

Args: session_id: The UUID of the session. action: "run" to start from beginning, "continue" to resume. timeout: Maximum seconds to wait for the process to stop.

Set a watchpoint on a memory address or variable.

Args: session_id: The UUID of the session. expression: The variable or address expression to watch. watch_type: Type of access to watch — "read", "write", or "read_write".

Display the pwndbg context — registers, disassembly, stack, backtrace, etc.

pwndbg command: context (alias: ctx) Source: pwndbg/commands/context.py Category: Context

This is pwndbg's signature command. It shows a unified view of the current debugger state including registers, nearby disassembly, stack contents, backtrace, and any additional context sections configured by the user.

Args: session_id: The UUID of the session. sections: Optional space-separated list of sections to show (e.g. "regs disasm stack backtrace").

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/context/

Configure where a context section's output is sent.

pwndbg command: contextoutput (alias: ctx-out) Source: pwndbg/commands/context.py Category: Context

Args: session_id: The UUID of the session. section: The context section name (e.g. "regs", "disasm", "stack"). value: The output target or configuration value.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/context/

Add a watched expression to the context display.

pwndbg command: contextwatch (alias: ctx-watch, cwatch) Source: pwndbg/commands/context.py Category: Context

Adds an expression that will be evaluated and displayed every time the context refreshes.

Args: session_id: The UUID of the session. expression: The expression to watch (e.g. "$rax", "(int)$rsp"). cmd: Optional command to use for display (e.g. "hexdump", "telescope").

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/context/

Remove a watched expression from the context display.

pwndbg command: contextunwatch (alias: ctx-unwatch, cunwatch) Source: pwndbg/commands/context.py Category: Context

Args: session_id: The UUID of the session. num: The watch number to remove.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/context/

Recursively dereference pointers starting at an address (default: $sp).

pwndbg command: telescope Source: pwndbg/commands/telescope.py Category: Memory

Telescope is one of pwndbg's most useful commands. It reads pointer-sized values from memory and follows the chain of dereferences, showing the ultimate value (string, address, symbol, etc.).

Args: session_id: The UUID of the session. address: Starting address or register (default: $sp). count: Number of pointer-sized entries to show. reverse: If True, show entries in reverse order.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/telescope/

Show stack contents using telescope-style dereference display.

pwndbg command: stack Source: pwndbg/commands/telescope.py Category: Stack

Equivalent to telescope $sp with extra stack-aware formatting.

Args: session_id: The UUID of the session. count: Number of entries to show (default: 8). offset: Offset from $sp in pointer-sized units.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/telescope/

Show the entire current stack frame contents.

pwndbg command: stackf Source: pwndbg/commands/telescope.py Category: Stack

Dereferences the stack from $sp to $bp, showing the entire current stack frame.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/telescope/

Hex dump memory at the specified address.

pwndbg command: hexdump Source: pwndbg/commands/hexdump.py Category: Memory

Shows memory in canonical hex+ASCII format, similar to xxd/hexdump.

Args: session_id: The UUID of the session. address: Address or register to dump from (default: $sp). count: Number of bytes to dump. code: Output format — "py" for Python bytes literal, "c" for C array.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/hexdump/

Print the virtual memory map of the process.

pwndbg command: vmmap (aliases: lm, address, vprot, libs) Source: pwndbg/commands/vmmap.py Category: Memory

Shows all memory regions with their start/end addresses, permissions, and mapped file names. Can be filtered by address, module name, or permission flags.

Args: session_id: The UUID of the session. filter_str: Optional filter — an address or module name substring. writable: If True, only show writable regions. executable: If True, only show executable regions.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/vmmap/

Search process memory for byte sequences, strings, pointers, or integers.

pwndbg command: search Source: pwndbg/commands/search.py Category: Memory

Searches all mapped memory regions for the given value. Supports multiple search types and can be filtered to specific permission regions.

Args: session_id: The UUID of the session. value: The value to search for. type: Search type — "bytes", "byte", "short", "dword", "qword", "pointer", "string". hex_encoded: If True, interpret value as hex-encoded bytes. executable: If True, only search executable regions. writable: If True, only search writable regions.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/search/

Show extended information about an address — offsets from useful locations.

pwndbg command: xinfo Source: pwndbg/commands/xinfo.py Category: Memory

Displays what memory region the address belongs to, along with offsets from the base of the containing page, binary, stack, heap, etc.

Args: session_id: The UUID of the session. address: Address to inspect (default: $pc).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/xinfo/

Calculate the distance between two addresses.

pwndbg command: distance Source: pwndbg/commands/distance.py Category: Memory

If only one argument is given, prints the offset from the address's page base. Useful for calculating offsets for exploits.

Args: session_id: The UUID of the session. a: First address or expression. b: Optional second address or expression.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/distance/

Pointer-scan memory for possible information leaks.

pwndbg command: probeleak Source: pwndbg/commands/probeleak.py Category: Memory

Scans memory at the given address for values that look like pointers into known regions (stack, heap, libc, binary, etc.), which could indicate exploitable information leaks.

Args: session_id: The UUID of the session. address: Address to start scanning (default: $sp). count: Number of bytes to scan (default: 0x40). max_distance: Maximum distance for pointer matching (0 = unlimited).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/probeleak/

Attempt to find a pointer leak chain from a starting address.

pwndbg command: leakfind Source: pwndbg/commands/leakfind.py Category: Memory

Walks pointer chains to find paths from a controlled region to interesting targets (libc, stack, etc.). Extremely useful for exploit development.

Args: session_id: The UUID of the session. address: Starting address (default: $sp). page_name: Target page name to reach. max_depth: Maximum chain depth (default: 4).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/leakfind/

Pointer-to-pointer chain search across memory mappings.

pwndbg command: p2p Source: pwndbg/commands/p2p.py Category: Memory

Finds chains of pointers between different memory regions, useful for discovering pivot chains in exploit development.

Args: session_id: The UUID of the session. mapping_names: Optional comma-separated list of mapping name ranges to search.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/p2p/

Call the mprotect syscall to change memory permissions.

pwndbg command: mprotect Source: pwndbg/commands/mprotect.py Category: Memory

Directly invokes mprotect(2) on the target process. Useful for making regions writable or executable during exploit development.

Args: session_id: The UUID of the session. addr: Address of the memory region. length: Length of the region in bytes. prot: Protection flags (e.g. "7" for rwx, "5" for r-x).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/mprotect/

Call the mmap syscall to allocate new memory in the target process.

pwndbg command: mmap Source: pwndbg/commands/mmap.py Category: Memory

Directly invokes mmap(2) on the target. Useful for creating executable shellcode regions or scratch memory during exploitation.

Args: session_id: The UUID of the session. addr: Desired address (0 for OS-chosen). length: Size of mapping (default: 0x1000). prot: Protection flags (default: "7" = rwx). flags: mmap flags (default: "0x22" = MAP_PRIVATE | MAP_ANONYMOUS).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/mmap/

Display CPU registers.

Args: session_id: The UUID of the session. register: Optional specific register name to read.

Display ARM CPSR / xPSR / PSTATE register bits.

pwndbg command: cpsr (aliases: xpsr, pstate) Source: pwndbg/commands/cpsr.py Category: Register Arch: ARM, AArch64 only

Decodes the ARM condition flags register into individual flag bits with human-readable names.

Args: session_id: The UUID of the session. cpsr_value: Optional CPSR value to decode (default: read from register).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/cpsr/

Modify a CPU flag in the flags register.

pwndbg command: setflag (alias: flag) Source: pwndbg/commands/flags.py Category: Register

Allows setting individual flag bits (ZF, CF, SF, OF, etc.) without modifying the entire flags register.

Args: session_id: The UUID of the session. flag: Flag name (e.g. "ZF", "CF", "SF", "OF"). value: Value to set (0 or 1).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/flags/

Disassemble instructions near the PC with enhanced annotation.

pwndbg command: nearpc (aliases: pdisass, u) Source: pwndbg/commands/nearpc.py Category: Disassemble

pwndbg's enhanced disassembler that shows resolved symbols, register values, memory dereferences, and branch target annotations inline with the disassembly.

Args: session_id: The UUID of the session. address: Address to disassemble at (default: $pc). lines: Number of instructions to show. emulate: If True, emulate instructions to show predicted register values.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/nearpc/

Disassemble with instruction emulation to predict register/memory state.

pwndbg command: emulate Source: pwndbg/commands/nearpc.py Category: Disassemble

Like nearpc but with emulation enabled by default. Shows what registers and memory values would be after each instruction executes, without actually executing them.

Args: session_id: The UUID of the session. address: Address to start emulation (default: $pc). lines: Number of instructions to emulate.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/nearpc/

Disassemble code using LLDB's native disassembler.

Args: session_id: The UUID of the session. location: Function name or address to disassemble. count: Number of instructions (default: 10).

Print the argument count (argc) of the running program.

pwndbg command: argc Source: pwndbg/commands/argv.py Category: Linux/libc/ELF

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/argv/

Print the argument vector (argv) of the running program.

pwndbg command: argv Source: pwndbg/commands/argv.py Category: Linux/libc/ELF

Args: session_id: The UUID of the session. index: Optional specific argv index to print.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/argv/

Print environment variables of the running program.

pwndbg command: envp (aliases: env, environ) Source: pwndbg/commands/argv.py Category: Linux/libc/ELF

Args: session_id: The UUID of the session. name: Optional specific environment variable name.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/argv/

Dump determined arguments for the current call/syscall instruction.

pwndbg command: dumpargs (alias: args) Source: pwndbg/commands/dumpargs.py Category: Misc

Automatically detects the calling convention and displays function arguments with their resolved values at the current call site.

Args: session_id: The UUID of the session. force: If True, force argument dumping even if not at a call site.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/dumpargs/

Print stack addresses that contain return addresses.

pwndbg command: retaddr Source: pwndbg/commands/retaddr.py Category: Stack

Scans the stack for values that look like return addresses (pointers into executable regions), useful for finding ROP pivot targets.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/retaddr/

Display the stack canary value.

pwndbg command: canary Source: pwndbg/commands/canary.py Category: Stack

Shows the current stack canary (stack guard) value. The canary is used by stack-smashing protection (SSP / -fstack-protector) to detect buffer overflows.

Args: session_id: The UUID of the session. show_all: If True, show canary for all threads.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/canary/

Display the SigreturnFrame at a specific address.

pwndbg command: sigreturn Source: pwndbg/commands/sigreturn.py Category: Misc Arch: x86-64, i386, aarch64, arm

Parses and displays a sigreturn frame structure, which is used in SROP (Sigreturn-Oriented Programming) exploits.

Args: session_id: The UUID of the session. address: Address of the sigreturn frame (default: auto-detect).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/sigreturn/

Dump the arguments of a va_list (variadic argument list).

pwndbg command: valist Source: pwndbg/commands/valist.py Category: Misc

Args: session_id: The UUID of the session. addr: Address of the va_list structure. count: Number of arguments to dump (default: 8).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/valist/

Check binary security properties (RELRO, NX, canary, PIE, RPATH, etc.).

pwndbg command: checksec Source: pwndbg/commands/checksec.py Category: Misc

Analyzes the ELF binary for security mitigations. Shows RELRO level, stack canary, NX (non-executable stack), PIE (position-independent), RPATH/RUNPATH, Fortify, and other compiler/linker security features.

Args: session_id: The UUID of the session. file: Optional path to check (default: loaded binary).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/checksec/

Print ELF section mappings from the binary header.

pwndbg command: elfsections Source: pwndbg/commands/elf.py Category: Linux/libc/ELF

Shows all ELF sections (.text, .data, .bss, .got, .plt, etc.) with their addresses, sizes, and flags.

Args: session_id: The UUID of the session. no_rebase: If True, show file offsets instead of rebased addresses.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/elf/

Print symbols found in the .got.plt section.

pwndbg command: gotplt Source: pwndbg/commands/elf.py Category: Linux/libc/ELF

Shows the GOT/PLT entries with their current resolved values. Useful for identifying which library functions have been resolved by the dynamic linker.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/elf/

Print symbols found in Procedure Linkage Table sections.

pwndbg command: plt Source: pwndbg/commands/elf.py Category: Linux/libc/ELF

Args: session_id: The UUID of the session. all_symbols: If True, show all PLT symbols including internal ones.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/elf/

Show the state of the Global Offset Table.

pwndbg command: got Source: pwndbg/commands/got.py Category: Linux/libc/ELF

Displays GOT entries with their current values, showing which entries point to the PLT stub (unresolved) vs actual library addresses (resolved).

Args: session_id: The UUID of the session. filter_str: Optional filter string to match symbol names.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/got/

Calculate the virtual address from a PIE-relative offset.

pwndbg command: piebase Source: pwndbg/commands/pie.py Category: Linux/libc/ELF

For PIE binaries, converts a file offset (RVA) to a runtime virtual address by adding the PIE base.

Args: session_id: The UUID of the session. offset: Offset from PIE base to calculate (default: 0 = show base). module: Optional module name (default: main binary).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/pie/

Show the dynamic linker's link map (loaded shared objects).

pwndbg command: linkmap Source: pwndbg/commands/linkmap.py Category: Linux/libc/ELF

Displays the linked list of loaded shared objects maintained by the dynamic linker (ld.so), showing base addresses and file paths.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/linkmap/

Dump type information, optionally overlaid on a memory address.

pwndbg command: dt Source: pwndbg/commands/dt.py Category: Misc

Displays the fields, offsets, and sizes of a struct/type. If an address is provided, reads the memory at that address and displays actual values for each field.

Args: session_id: The UUID of the session. typename: The type name to inspect (e.g. "struct malloc_chunk"). address: Optional memory address to overlay the type onto.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/dt/

Iteratively print chunks on a heap.

pwndbg command: heap Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Walks the heap and prints each chunk's metadata (size, flags, fd/bk pointers for freed chunks). Defaults to the current thread's active heap.

Args: session_id: The UUID of the session. addr: Optional arena or heap address. verbose: If True, show extended chunk details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the contents of a malloc arena.

pwndbg command: arena Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Shows the malloc_state structure fields including top chunk, bins, system_mem, and other arena metadata. Defaults to the current thread's arena.

Args: session_id: The UUID of the session. addr: Optional arena address (default: current thread's arena).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

List all arenas in the process.

pwndbg command: arenas Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print all bin contents — fast, small, large, unsorted, and tcache.

pwndbg command: bins Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Displays a unified view of all bin types in the ptmalloc2 allocator.

Args: session_id: The UUID of the session. addr: Optional arena address. tcache_addr: Optional tcache address.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the contents of an arena's fastbins.

pwndbg command: fastbins Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Fastbins are singly-linked LIFO free lists for small allocations (up to 0x80 bytes on 64-bit). Shows each fastbin index with its chain.

Args: session_id: The UUID of the session. addr: Optional arena address. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the contents of an arena's unsorted bin.

pwndbg command: unsortedbin Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

The unsorted bin is a doubly-linked list where freed chunks go before being sorted into small/large bins. A key target for heap exploits.

Args: session_id: The UUID of the session. addr: Optional arena address. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the contents of an arena's small bins.

pwndbg command: smallbins Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Small bins hold chunks from 0x20 to 0x3F0 bytes (64-bit) in doubly-linked lists sorted by size.

Args: session_id: The UUID of the session. addr: Optional arena address. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the contents of an arena's large bins.

pwndbg command: largebins Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Large bins hold chunks >= 0x400 bytes (64-bit) in doubly-linked lists sorted by size within each bin.

Args: session_id: The UUID of the session. addr: Optional arena address. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print tcache contents for the current thread.

pwndbg command: tcache Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Thread-local caching (tcache) was introduced in glibc 2.26. Each thread has 64 singly-linked bins for small allocations, providing fast thread-local allocation without arena locks.

Args: session_id: The UUID of the session. addr: Optional tcache address.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print tcache bin entries (free list chains per size class).

pwndbg command: tcachebins Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Args: session_id: The UUID of the session. addr: Optional tcache address. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Display detailed information about a specific malloc chunk.

pwndbg command: malloc_chunk Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Shows the chunk header fields (prev_size, size, flags) and for freed chunks, the fd/bk pointers.

Args: session_id: The UUID of the session. addr: Address of the malloc chunk.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print information about the top chunk (wilderness) of an arena.

pwndbg command: top_chunk Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

The top chunk is the last chunk in the heap, used to service allocations when no suitable freed chunk is available.

Args: session_id: The UUID of the session. addr: Optional arena address.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Print the mp_ (malloc parameters) struct contents.

pwndbg command: mp Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Shows global malloc tuning parameters like mmap_threshold, trim_threshold, top_pad, etc.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Visualize heap chunks with a colorful graphical representation.

pwndbg command: vis_heap_chunks (alias: vis) Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Renders heap chunks as a visual map with color-coded regions showing chunk boundaries, headers, and data. One of pwndbg's most distinctive features for heap analysis.

Args: session_id: The UUID of the session. addr: Optional starting address.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Simulate what would happen if free() were called on an address.

pwndbg command: try_free Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Walks through glibc's free() logic and reports which checks would pass or fail. Invaluable for debugging heap exploits — shows exactly why a crafted chunk would or wouldn't pass free()'s validation.

Args: session_id: The UUID of the session. addr: Address to simulate freeing.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Find fake fastbin chunk candidates near a target address.

pwndbg command: find_fake_fast Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Searches memory near the target for byte sequences that could be interpreted as valid fastbin chunk headers. Used to find targets for fastbin attacks (e.g. overwriting __malloc_hook).

Args: session_id: The UUID of the session. target_address: Address to search near.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

Display heap information for a specific chunk address.

pwndbg command: hi Source: pwndbg/commands/ptmalloc2.py Category: GLibc ptmalloc2 Heap

Shows which bin a chunk belongs to, its neighbors, and allocation status.

Args: session_id: The UUID of the session. addr: Address of the chunk. verbose: If True, show extended details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/ptmalloc2/

List all threads in the current process (LLDB native).

Args: session_id: The UUID of the session.

Select a specific thread and show its backtrace.

Args: session_id: The UUID of the session. thread_id: The thread index to select.

List all threads with pwndbg's enhanced formatting.

pwndbg command: threads Source: pwndbg/commands/tls.py Category: Linux/libc/ELF

Shows threads with their IDs, names, and current PC locations using pwndbg's enhanced display format.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/tls/

Print the Thread Local Storage (TLS) base address.

pwndbg command: tls Source: pwndbg/commands/tls.py Category: Linux/libc/ELF

Shows the TLS base address and optionally the full TLS structure contents. The TLS contains thread-local variables, the stack canary, and other per-thread data.

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/tls/

Generate or look up a cyclic (De Bruijn) pattern for offset calculation.

pwndbg command: cyclic Source: pwndbg/commands/cyclic.py Category: Misc

Generates patterns where every N-byte subsequence is unique, making it easy to determine crash offsets. Can also look up a value in the pattern to find the offset.

Args: session_id: The UUID of the session. length: Length of pattern to generate (mutually exclusive with lookup). lookup: Value to look up in the pattern (finds offset). detect: If True, auto-detect the crash offset from registers. count: Pattern element count (default: 100).

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/cyclic/

Find ROP gadgets using ROPgadget.

pwndbg command: rop (alias: ropgadget) Source: pwndbg/commands/rop.py Category: Integrations

Searches the loaded binary for useful ROP gadgets. Requires ROPgadget to be installed.

Args: session_id: The UUID of the session. grep: Optional regex to filter gadgets.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/rop/

Find one-gadget (magic gadget) RCE gadgets in libc.

pwndbg command: onegadget Source: pwndbg/commands/onegadget.py Category: Linux/libc/ELF Arch: x86-64, i386, aarch64

Searches for single-gadget code paths in libc that directly call execve("/bin/sh", ...). These are the holy grail for exploitation since overwriting a single function pointer gives a shell.

Args: session_id: The UUID of the session. verbose: If True, show constraint details.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/onegadget/

Patch an instruction at the given address with new code or bytes.

pwndbg command: patch Source: pwndbg/commands/patch.py Category: Misc

Assembles the given instruction and writes the bytes at the target address. Useful for live-patching binaries during analysis.

Args: session_id: The UUID of the session. address: Address to patch. instruction: Assembly instruction or hex bytes to write.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/patch/

List all applied patches.

pwndbg command: patch-list Source: pwndbg/commands/patch.py Category: Misc

Args: session_id: The UUID of the session.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/patch/

Revert a patch at the given address.

pwndbg command: patch-revert Source: pwndbg/commands/patch.py Category: Misc

Args: session_id: The UUID of the session. address: Address of the patch to revert.

See: https://pwndbg.re/2025.05.30/reference/pwndbg/commands/patch/