I do a lot of work analyzing applications which I do not have the source code for. On Windows, OllyDbg is the tool of choice, but there is no Linux (or any other *nix equivalent) that I could find. Sure we have GDB, but GDB and all it's various frontends tend to lean towards debugging applications to which we have the source. What I really want is a debugger which is as functional and useable as OllyDbg but for Linux (and possibly more). So I started my own debugger based on the ptrace API in Linux, and it is coming along very nicely. The hex dump views are based on the QHexView I developed which gives things a very polished look.
I am happy to announce that version 0.8.12 of EDB is available under the GPL-2 license for download! Please give it a try and let me know what I can do to improve it. Documentation is pretty much non-existant, but that's one of the reasons why this is not a 1.0 release :). Remember to read the README file, it has a lot of information, and please check the TODO list before asking about a missing feature, it may already be in the works. Enjoy!
EDB's source tree contains a copy of the libdisasm since that it what it uses to perform dissassembly. libdisasm.a is already compiled in this directory and the source is configured to link against it statically, until having libdisasm.so present in /usr/lib/ is common on most distributions (I don't have a gentoo ebuild yet :-P), I think this is the best way to address this.
Launch and attach to new process View/Dump memory regions Toggle execution breakpoints The usual debug ops (step-into/step-over/run/break) Effective address inspection String searching (like strings command in *nix) Debugging core is implemented as a plugin (using the QPlugin API) so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them. Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan Debugging events are trapped in a seperate thread so as to not lock up the GUI The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them. Basic Heap analysis (lists busy/free blocks) Importing of symbol maps Byte pattern searching One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
0.8.12 released, adding a few fixes, a few speedups, and a few new features
CHANGELOG:
2007-02-26 ----------
* Added ability to change the working directory opened applications run in.
2007-02-23 ----------
* Improved about dialog box :-P
2007-02-15 ----------
* Added ability to dump the contents of a data view tab to a file.
2007-01-17 ----------
* Added recent file list to File menu.
2007-01-16 ----------
* Cleared internal state tracking on detach, nothing major.
2006-12-23 ----------
* Added new stylized register view window, still working out the programmers API for it, but at least it looks nice
