{"id":13795243,"url":"https://github.com/derekselander/lldb","last_synced_at":"2025-05-15T09:03:20.422Z","repository":{"id":37664718,"uuid":"79964942","full_name":"DerekSelander/LLDB","owner":"DerekSelander","description":"A collection of LLDB aliases/regexes and Python scripts to aid in your debugging sessions","archived":false,"fork":false,"pushed_at":"2024-10-09T20:21:08.000Z","size":23397,"stargazers_count":1822,"open_issues_count":15,"forks_count":204,"subscribers_count":53,"default_branch":"main","last_synced_at":"2025-04-14T02:57:30.348Z","etag":null,"topics":["debugging","ios","lldb","python","xcode"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DerekSelander.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-01-24T23:28:56.000Z","updated_at":"2025-04-08T10:01:56.000Z","dependencies_parsed_at":"2024-11-10T00:28:40.361Z","dependency_job_id":"4ae92f5c-f03a-4b8d-a51b-6ea5d0178b02","html_url":"https://github.com/DerekSelander/LLDB","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DerekSelander%2FLLDB","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DerekSelander%2FLLDB/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DerekSelander%2FLLDB/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DerekSelander%2FLLDB/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DerekSelander","download_url":"https://codeload.github.com/DerekSelander/LLDB/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254310513,"owners_count":22049468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","ios","lldb","python","xcode"],"created_at":"2024-08-03T23:00:53.669Z","updated_at":"2025-05-15T09:03:15.404Z","avatar_url":"https://github.com/DerekSelander.png","language":"Python","readme":"# LLDB\n\n[![img](Media/dbgbook.png)](https://store.raywenderlich.com/products/advanced-apple-debugging-and-reverse-engineering)\n\nA collection of LLDB aliases/regexes and Python scripts to aid in my debugging sessions. These scripts are built only for my  own amusement, but some of them might be helpful in your own work. If you want to gain a better understanding of how to build these LLDB scripts, or gain a better understanding of LLDB in general, check out [**Advanced Apple Debugging and Reverse Engineering**](https://store.raywenderlich.com/products/advanced-apple-debugging-and-reverse-engineering).\n\n## Installation\n\n1. To Install, copy/clone the **lldb_commands** folder to a dir of your choosing.\n2. Open up (or create) **~/.lldbinit** \n3. Add the following command to your ~/.lldbinit file: `command script import /path/to/lldb_commands/dslldb.py`\n\nBoom! You're good to go!\n\nYou can test to make sure everything worked successfully by just trying one of the commands in the debugger... i.e. `(lldb) help methods`\n\nI'd recommend cloning. That way when I announce some new script/fix, you can just `git pull` instead of repeating this whole process.\n\n## LLDB Scripts\n\nFor all commands below, you can view the documentation via `help {command}`. If you want to see what options a command has, type `{command} -h`.\n\nTLDR: `search`, `lookup`, and `dclass` are good GOTOs irregardless if you're a dev or exploring without source. \n\nIf you like ObjC swizzling, check out `sclass`. If you like DTrace, check out `pmodule` and `snoopie`.\n\n### search\n\n  Searchs the heap for all alive instances of a certain class. This class must by dynamic (aka inherit from a `NSObject`/`SwiftObject` class). Currently doesn't work with `NSString` or `NSNumber` (tagged pointer objects).\n  \n  Example:\n  \n      # Find all instances and subclasses of UIView\n      (lldb)  search UIView\n\n      # Find all instances of UIView that are UIViews. Ignore subclasses.\n      (lldb) search UIView -e\n\n      #Find all instances of UIView whose tag is equal to 5. Objective-C syntax only. Can reference object by 'obj'\n      (lldb) search UIView -c \"(int)[obj tag]==5\"\n\n      # Find all instances of a UIView subclass whose class is implemented in the SpringBoardUI module\n      (lldb) search UIView -m SpringBoardUI\n\n      # Find all UIView subclasses created in the \"Woot\" module and hide them\n      (lldb) search UIView -m Woot -p \"[obj setHidden:YES]\"\n\n      # Search for UIViews but just print the class, don't print object description (ideal for Swift where they hide the pointer)\n      (lldb) search UIView -b\n\n      # Remember, Swift includes the module in a class name, so if you have a Swift UIView called TestView in module WOOT...\n      (lldb) search WOOT.TestView -b\n\n      # Search for all classes that contain a reference to the pointer 0xfeedfacf\n      (lldb) search -r 0xfeedfacf\n\n### dclass\n\nDumps all the `NSObject`/`SwiftObject` inherited classes in the process. If you give it a module, it will dump only the classes within that module. You can also filter out classes to only a certain type and can also generate a header file for a specific class.\n  \n  Example:\n  \n      # Dump ALL the classes (Swift and Objective-C) found within the process\n      (lldb) dclass\n\n      # Dump ObjC/Swift info (if applicable) about the class \"Hello.SomeClass\" (same as dclass -i Hello.SomeClass)\n      (lldb) dclass Hello.SomeClass\n\n      # Dump all the classes that are a UIViewController within the process\n      (lldb) dclass -f UIViewController\n\n      # Dump all the classes with the regex case insensitive search \"viewcontroller\" in the class name\n      (lldb) dclass -r (?i)viewCoNtrolLer\n\n      # Dump all the classes within the UIKit module\n      (lldb) dclass -m UIKit\n\n      # Dump all classes in CKConfettiEffect NSBundle that are UIView subclasses\n      (lldb) dclass /System/Library/Messages/iMessageEffects/CKConfettiEffect.bundle/CKConfettiEffect -f UIView\n\n      # Generate a header file for the class specified:\n      (lldb) dclass -g UIView\n\n      # Generate a protocol that you can cast an object to. Ideal when working with private classes at dev time\n      (lldb) dclass -P UIView\n\n      # Dump all classes and methods for a particular module, ideal for viewing changes in frameworks over time\n      (lldb) dclass -o UIKit\n\n      # Only dump classes whose superclass is of type NSObjecr and in the UIKit module. Ideal for going after specific classes like a datasource where it will likely inherit from NSObject\n      (lldb) dclass -s NSObject -m UIKit\n\n      # Dump only Swift classes\n      (lldb) dclass -t swift\n\n      # Dump only Objective-C classes\n      (lldb) dclass -t objc\n\n      # Get a simplified \"class-dump\" of the UIView class\n      (lldb) dclass -i UIView\n\n      # Get more information than you ever wanted to know about UIView\n      (lldb) dclass -I UIView\n\n### section\n\nDisplays data in the Mach-O segments/sections of the executable or frameworks loaded into the proc\n\n      # Dump the Mach-O segments to the main executable\n      (lldb) section\n\n      # Dump the Mach-O segments to UIKit\n      (lldb) section UIKit\n\n      # Dump the Mach-O sections of the __TEXT segment of UIKit\n      (lldb) section UIKit __TEXT\n\n      # Get the load address of all the hard-coded uint8_t * strings in the UIKit binary\n      (lldb) section UIKit __TEXT.__cstring -l\n\n      # Get the entitlements for the executable (simulator only, entitlements for actual app in __LINKEDIT)\n      (lldb) section  __TEXT.__entitlements\n\n      # Get all the load address to the lazy symbol stubs in the main executable\n      (lldb) section  __DATA.__la_symbol_ptr -l\n\n### dd\n\nAlternative to LLDB's `disassemble` command. Uses colors. Terminal only and designed for x86)64. ARM64 support will come one day...\n![yoink example](https://github.com/DerekSelander/LLDB/raw/master/Media/dd.png)\n\n### sbt\n\n      Symbolicate backtrace. Will symbolicate a stripped backtrace from an executable if the backtrace is using Objective-C\n      code. Currently doesn't work on aarch64 stripped executables but works great on x64 :]\n\n      You learn how to make this command in the book :]\n\n![sbt example](https://github.com/DerekSelander/LLDB/raw/master/Media/sbt_gif.gif)\n\n### msl\n\n      msl 0xadd7e55\n      msl or malloc stack logging will take an address and try and obtain the stack trace to\n      when it was created. \n\n      You will need to set the env var to MallocStackLogging, or `execute turn_on_stack_logging(1)`\n      while the process is active\n\n      You learn how to make this command in the book :]\n\n![msl example](https://github.com/DerekSelander/LLDB/raw/master/Media/msl_gif.gif)\n\n### lookup\n\nPerform a regular expression search for stuff in an executable\n\n  Example:\n  \n      # Find all methods that contain the phrase viewDidLoad\n      (lldb) lookup viewDidLoad\n\n      # Find a summary of all the modules that have a (known) function containing the phrase viewDidLoad\n      (lldb) lookup viewDidLoad -s\n\n      # Search for Objective-C code in a stripped module (i.e. in SpringBoard)\n      (lldb) loo -x StocksFramework .\n\n      # Search for Objective-C code containing the case insensitive phrase init inside a stripped main bundle\n      (lldb) lookup -X (?i)init\n\n      # Search for all hardcoded, embeded `char *` inside an executable containing the phrase *http* inside UIKit\n      (lldb) lookup -S http -m UIKit\n\n      # Dump all the md5'd base64 keys in libMobileGestalt along w/ the address in memory\n      (lldb) loo -S ^[a-zA-Z0-9\\+]{22,22}$ -m libMobileGestalt.dylib -l\n\n      # Dump all the global bss code referenced by DWARF. Ideal for accessing `static` variables when not in scope\n      (lldb) lookup . -g HonoluluArt -l\n      \n      # Look for phrase \"nominal\" (Swift's nominal type descriptors) in module \"SwiftTest\" and get address, don't evaluate symbol\n      (lldb) lookup -G SwiftTest nominal -l \n      \n\n### biof\n\n    Break if on func. Syntax: biof regex1 [OptionalModuleName] ||| regex2 RequiredModuleName\n    Regex breakpoint that takes two regex inputs. The first regex creates a breakpoint on all matched functions.\n    The second regex will make a breakpoint condition to stop only if the second regex breakpoint is in the stack trace\n\n    For example, to only stop if code in the \"TestApp\" module resulted in executing the setTintColor: method being called\n    biof setTintColor: ||| . Test\n\n    As a tip, it would be wise to have a limited regex1 that matches a small amount of functions, while keeping regex2 at any size\n\n### yoink\n\n  Takes a path on a iOS/tvOS/watchOS and writes to the **/tmp/** dir on your computer.\n  If it can be read by `-[NSData dataWithContentsOfFile:]`, it can be written to disk\n\n  Example (on iOS 10 device):\n\n      (lldb) yoink /System/Library/Messages/iMessageEffects/CKConfettiEffect.bundle/CKConfettiEffect\n\n![yoink example](https://github.com/DerekSelander/LLDB/raw/master/Media/yoink_gif.gif)\n\n### pmodule\n\n  Creates a custom dtrace script that profiles modules in an executable based upon its\n  memory layout and ASLR. Provide no arguments w/ '-a' if you want a count of all the modules firing.\n  Provide a module if you want to dump all the methods as they occur. The location of the script is\n  copied to your computer so you can paste the soon to be executed dtrace script in the Terminal.\n  \n  WARNING: YOU MUST DISABLE ROOTLESS TO USE DTRACE\n  \n      # Trace all Objective-C code in UIKit \n      (lldb) pmodule UIKit\n\n      # Trace all non-Objective-C code in libsystem_kernel.dylib (i.e. pid$target:libsystem_kernel.dylib::entry)\n      (lldb) pmodule -n libsystem_kernel.dylib\n\n      # Dump errrything. Only displays count of function calls from modules after you end the script. Warning slow\n      (lldb) pmodule -a\n\n![pmodule example](https://github.com/DerekSelander/LLDB/raw/master/Media/pmodule_gif.gif)\n\n### snoopie\n\n    Generates a DTrace script that will only profile classes implemented\n    in the main executable irregardless if binary is stripped or not. This is done via\n    profiling objc_msgSend. The creation of this command is discussed in the book.\n\n  WARNING: YOU MUST DISABLE ROOTLESS TO USE DTRACE\n  \n## LLDB Commands\n\n### ls\n\nList a directory from the process's perspective. Useful when working on an actual device.\n\n      # List the root dir's contents on an actual iOS device\n      (lldb) ls /\n\n      # List contents for /System/Library on an actual iOS device\n      (lldb) ls /System/Library\n\n### reload_lldbinit\n\nReloads all the contents in your ~/.lldbinit file. Useful for seeing if your python script(s) broke or want to do incremental updates to a python script\n\n    # Reload/Refresh your LLDB scripts\n    (lldb) reload_lldbinit\n\n### tv\n\nToggle view. Hides/Shows a view depending on it's current state. You don't need to resume LLDB to see changes. ObjC only\n\n    # Toggle a view on or off\n    (lldb) tv [UIView new]\n\n### pprotocol\n\nDumps all the required and optional methods for specific protocol (Objective-C only)\n\n    # Dump the protocol for UITableViewDataSource\n    (lldb) pprotocol UITableViewDataSource\n\n### pexecutable\n\nPrints the location (on disk) of the filepath to the executable\n\n    (lldb) pexecutable\n\n### pframework\n\nPrints the location (on disk) of a framework\n\n    (lldb) pframework UIKit\n\n### sys\n\nDrops into the shell to execute commands. Note you can execute LLDB commands via the $() syntax\n\n    # ls the directory LLDB is running in\n    (lldb) sys ls\n\n    # Use otool -l on the UIKit framework\n    (lldb) sys otool -l $(pframework UIKit)\n\n    # Open the main executable in another program\n    (lldb) sys open -a \"Hopper\" $(pexecutable)\n\n### methods\n\nDumps all methods inplemented by the NSObject subclass (iOS, NSObject subclass only)\n\n    # Get all the methods of UIView\n    (lldb) methods UIView\n\n### ivars\n\nDumps all ivars for an instance of a particular class which inherits from NSObject (iOS, NSObject subclass only)\n\n    # Get all the ivars on a newly created instance of UIView\n    (lldb) ivars [UIView new]\n    \n### dumpenv\n\nDumps the environment variables found in the process\n\n    (lldb) dumpenv\n    \n    TESTMANAGERD_SIM_SOCK=/private/tmp/com.apple.launchd.9BmpbuRgyE/com.apple.testmanagerd.unix-domain.socket\n\n    MallocNanoZone=0\n    ...\n\n### keychain\n\nDumps the keychain database relevant to the process\n\n    (lldb) keychain\n    \u003c__NSArrayM 0x600001fb1590\u003e(\n    {\n    acct = \"localdevice-AuthToken\";\n    agrp = apple;\n    \"v_Data (str)\" = \"A8CD94D2-13E3-40B...\n\n### info\n\nDetermine what the hey the address is. Determines if it's a heap, MachO or stack address\n\n    (lldb) info 0x00007ffee39fd540\n    0x00007ffee39fd540, stack address (SP: 0x7ffee39fd4e8, FP: 0x7ffee39fd540) mach_msg_trap \n    \n    (lldb) info 0x7ff15e866800\n    0x7ff15e866800, 0x7ff15e866800 heap pointer, (0x600 bytes) \n    \n    (lldb) info 0x1279232a6\n    0x1279232a6,   -[MKPlaceInfoViewController viewDidLoad]     \u003c+0\u003e `MapKit`__TEXT.__text + 0x1813d6 \n    \n### lsof\n\nList open file descriptors in process. (No args)\n\n    (lldb) lsof \n    0 /dev/null\n    1 /dev/null\n    2 /dev/null\n    4 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/KeyboardLayouts/USBKeyboardLayouts.bundle/uchrs/US.uchr\n\n### gg \n\nSuspend the process (good game, AKA game over, weird one, I know). (No args)\n\n### dump_app_contents\n\nDumps contents of application bundle. (No args)\n\n### mload \n\ndlopen convenience method\n\n### pbpaste \n\nPaste selected text from your mac to your iOS device. (No args, but make sure you have something in the clipboard)\n\n### bdel \n\nDelete breakpoint by address \n\n### data\n\nDump the bytes of a NSData object\n\n### pexecutable\n\nDumps the fullpath to the executable. (No args)\n\n### plocalmodulelist\n\nDumps the local modules specific for the application. (No args)\n\n\n\n### overlaydbg\n\nDisplays the UIDebuggingInformationOverlay on iOS in 11. Check out http://ryanipete.com/blog/ios/swift/objective-c/uidebugginginformationoverlay/ for instructions\n\n    # Display UIDebuggingInformationOverlay\n    (lldb) overlaydbg\n\nYou read all the way to here!? [Here's a video highlighting some of these scripts](https://vimeo.com/231806976)\n","funding_links":[],"categories":["\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","\u003ca id=\"324874bb7c3ead94eae6f1fa1af4fb68\"\u003e\u003c/a\u003eDebug\u0026\u0026调试"],"sub_categories":["\u003ca id=\"d22bd989b2fdaeda14b64343b472dfb6\"\u003e\u003c/a\u003e工具"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fderekselander%2Flldb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fderekselander%2Flldb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fderekselander%2Flldb/lists"}