{"id":27171918,"url":"https://github.com/shinoleah/edbg","last_synced_at":"2025-05-16T08:03:12.748Z","repository":{"id":282865750,"uuid":"945833555","full_name":"ShinoLeah/eDBG","owner":"ShinoLeah","description":"eBPF-based lightweight debugger for Android","archived":false,"fork":false,"pushed_at":"2025-05-16T07:14:24.000Z","size":1256,"stargazers_count":548,"open_issues_count":0,"forks_count":62,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-05-16T08:02:03.581Z","etag":null,"topics":["android","ebpf","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ShinoLeah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-10T07:45:27.000Z","updated_at":"2025-05-15T11:05:27.000Z","dependencies_parsed_at":"2025-04-09T02:02:34.823Z","dependency_job_id":"850ddf4c-844c-40c8-98dd-372eb25238e6","html_url":"https://github.com/ShinoLeah/eDBG","commit_stats":null,"previous_names":["shinoleah/edbg"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShinoLeah%2FeDBG","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShinoLeah%2FeDBG/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShinoLeah%2FeDBG/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShinoLeah%2FeDBG/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ShinoLeah","download_url":"https://codeload.github.com/ShinoLeah/eDBG/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254493381,"owners_count":22080126,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","ebpf","reverse-engineering"],"created_at":"2025-04-09T09:19:28.580Z","updated_at":"2025-05-16T08:03:12.741Z","avatar_url":"https://github.com/ShinoLeah.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"logo.png\"/\u003e\n\n [![GitHub Release](https://img.shields.io/github/v/release/ShinoLeah/eDBG?style=flat-square)](https://github.com/ShinoLeah/eDBG/releases)\n [![License](https://img.shields.io/github/license/ShinoLeah/eDBG?style=flat-square)](LICENSE)\n [![Platform](https://img.shields.io/badge/platform-Android%20ARM64-red.svg?style=flat-square)](https://www.android.com/)\n ![GitHub Repo stars](https://img.shields.io/github/stars/ShinoLeah/eDBG)\n\n 简体中文 | [English](README_EN.md)\n\u003c/div\u003e\n\n\u003e eDBG 是一款基于 eBPF 的轻量级 CLI 调试器。\u003cbr /\u003e\n\u003e\n\u003e 相比于传统的基于 ptrace 的调试器方案,eDBG 不直接侵入或附加程序,具有较强的抗干扰和反检测能力。\n\n## ✨ 特性\n\n- 基于 eBPF 实现,基本无视反调试。\n- 支持常规调试功能(详见“命令详情”)\n- 使用类似 [pwndbg](https://github.com/pwndbg/pwndbg) 的 CLI 界面和类似 GDB 的交互方式,简单易上手\n- 基于文件+偏移的断点注册机制,可以快速启动,支持多线程或多进程调试。\n\n## 💕 演示\n\n![](demo.png)\n\n## 🚀 运行环境\n\n- 目前仅支持 ARM64 架构的 Android 系统,需要 ROOT 权限,推荐搭配 [KernelSU](https://github.com/tiann/KernelSU) 使用\n- 系统内核版本5.10+ (可执行`uname -r`查看)\n\n## ⚙️ 使用\n\n1. 下载最新 [Release](https://github.com/ShinoLeah/eDBG/releases) 版本\n\n2. 推送到手机的`/data/local/tmp`目录下,添加可执行权限\n\n ```shell\n adb push eDBG /data/local/tmp\n adb shell\n su\n chmod +x /data/local/tmp/eDBG\n ```\n\n3. 运行调试器\n\n ```shell\n ./eDBG -p com.pakcage.name -l libname.so -b 0x123456\n ```\n\n | 选项名称 | 含义 |\n | -------- | ---------------------------- |\n | -p | 目标应用包名 |\n | -l | 目标动态库名称 |\n | -b | 初始断点偏移列表(逗号分隔) |\n\n 更多启动选项见“进阶使用”\n\n4. 运行被调试 APP\n\n \u003e eDBG 也可以直接附加正在运行的 APP,但 eDBG 不会主动拉起被调试 APP。\n\n## ⚠️ 注意\n\n- 由于本项目使用基于文件+偏移的断点注册机制,在调试系统库(`libc.so`、`libart.so`)时可能会比较卡顿。\n- **重要**:本项目不能随时暂停被调试程序,因此**必须用 -b 启动选项在可用位置先断下程序才能进行后续调试**。\n- 该项目可以在目标程序运行之前被运行,因此不支持在启动时指定线程 id。\n- 最多支持 20 个启用的断点。\n\n## 💡命令说明\n\n- **断点** `break / b`\n - 偏移:`b 0x1234`(相对初始动态库的偏移)\n - 内存地址:`b 0x6e9bfe214c`(需要当前程序正在运行)\n - 库名+偏移:`b libraryname.so+0x1234`\n - 当前偏移:`b $+1`,(当前位置+**指令条数**)\n - 启用断点:`enable id`,启用指定断点(你可以在 `info` 中查看断点信息)\n - 禁用断点:`disable id`,禁用指定断点\n - 删除断点:`delete id`,删除第 id 号断点\n- **继续运行** `continue / c`:继续执行至下一断点\n- **单步调试**\n - `step / s` 单步步入(进入函数调用)\n - `next / n` 单步步过(跳过函数调用)\n- **查看内存** `examine / x`\n - 地址:`x 0x12345678`(默认长度 16)\n - 地址+长度:`x 0x12345678 128`\n - 寄存器:`x X0`,查看对应寄存器地址对应的内存(`[X0]`)\n - 寄存器+长度:`x X0 128` \n- **退出** `quit / q`:退出**调试器**(不会影响程序运行)\n- **查看信息** `info / i`\n\n - `info b/break`:列出当前所有断点(`[+]`=已启用,`[-]`=未启用)\n - `info register/reg/r`:查看所有寄存器信息。\n - `info thread/t`:列出当前所有线程和已设定的线程过滤器。\n- **重复上一条指令**:直接回车\n\n更多命令见“进阶使用”\n\n## 🧑‍💻 进阶使用\n\n其他的可用选项:\n\n| 选项名称 | 含义 |\n| ----------------- | -------------------------------------------------------- |\n| -t | 线程名称过滤器(逗号分隔) |\n| -i filename | 使用配置文件 |\n| -s | 保存进度到使用的配置文件 |\n| -o filename | 保存进度到指定文件名(与 -s 冲突) |\n| -hide-register | 禁用寄存器信息输出 |\n| -hide-disassemble | 禁用反汇编代码输出 |\n| -prefer | uprobe 或 hardware,指定在单步调试中使用的断点,默认混用 |\n| -disable-color | 禁用彩色输出 |\n\n更多的可用命令:\n\n- **硬件断点** `hbreak`:与 break 用法相同,限制 4 个以内。\n\n- **写监控** `watch`:与 break 用法相同,当指定地址被写入时触发,属于硬件断点。\n\n- **读监控** `rwatch`:同上。\n\n- **退出函数** `finish / fi`:执行直到当前函数退出\n\n \u003e 目前这个功能的实际实现是基于 LR 的,如果 LR 被用作别的用途请使用 until \n\n- **运行直到** `until / u`:运行直到指定地址。地址的指定方法与断点相同\n\n- **写内存** `write 0x1235 62626262`:向指定地址写入 Hex String,地址指定方法与 `examine` 相同,目标地址必须可写\n\n- **Dump 内存** `dump address length filename`:将指定地址的内存写入文件\n\n- **展示内存** `display / disp`\n\n - 地址:`disp 0x123456`,(每次触发断点或单步时打印)\n\n - 地址+长度:`disp 0x123456 128`\n\n - 地址+长度+变量名:`disp 0x123456 128 name`,展示同时打印该变量名\n\n \u003e ⚠️ 若内存地址变化(e.g. 应用重启),此功能将无法输出正确信息。\n\n- **取消展示内存**`undisplay / undisp \u003cid\u003e`:取消展示第 id 号变量\n\n- **设置符号** `set address name`:设置指定地址符号。\n\n- **线程相关** `thread / t`\n\n - `t`:列出所有可用线程。\n - `t + 0`:增加线程过滤器在第 0 个线程(使用`info t`查看所有线程 id),注意不是指定 `tid`\n - `t - 0`:取消第 0 个线程过滤器\n - `t all`:删除所有线程过滤器。\n - `t +n threadname`:增加线程名称过滤器。\n\n- **查看代码** `list / l / disassemble / dis`\n\n - 直接查看:`l`,打印当前 PC 位置开始 10 条指令\n - 查看指定地址:`l 0x1234`,打印对应内存地址 10 条指令\n - 查看指定地址指定长度指令:`l 0x1234 20`,打印对应内存地址对应**指令条数**的指令\n\n## 🛫 编译\n\n1. 环境准备\n\n 本项目在 x86 Linux 下交叉编译\n\n ```shell\n sudo apt-get update\n sudo apt-get install golang-1.18\n sudo apt-get install clang-14\n export GOPROXY=https://goproxy.cn,direct\n export GO111MODULE=on\n ```\n\n2. 编译\n\n ```shell\n git clone --recursive https://github.com/ShinoLeah/eDBG.git\n ./build_env.sh\n make\n ```\n\n## 💭 实现原理\n\n- 所有断点均基于 uprobe,如果你很在意被检测到,请参考最下方文章\n- `step / next / until / finish` 在默认情况下使用硬件断点(仅在跳转指令使用 uprobe),无法被用户态探测到,可以放心使用(如果这个功能没法工作,考虑使用 `prefer=hardware` 或 `prefer=uprobe`)\n- 建议使用 b 在跳转指令处下断点搭配单步使用。\n- [eDBG 使用进阶:避免 uprobes 产生可被察觉的特征](https://www.sh1no.icu/posts/28348c4/)\n\n## 🤝 参考\n\n- [SeeFlowerX/stackplz](https://github.com/SeeFlowerX/stackplz/tree/dev)\n- [pwndbg](https://github.com/pwndbg/pwndbg)\n\n## ❤️‍🩹 其他\n\n- 喜欢的话可以点点右上角 Star 🌟\n- 欢迎提出 Issue 或 PR!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshinoleah%2Fedbg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshinoleah%2Fedbg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshinoleah%2Fedbg/lists"}