Today we are announcing the release of LLEF (pronounced ɬɛf - “hlyeff”) a tool similar to GEF to enhance the debugging experience of LLDB for reverse engineering and vulnerability research tasks.

TL;DR

We’ve made using LLDB for reversing more like using GDB+GEF. Get LLEF here: github.com/foundryzero/llef.

Why?

The role of the debugger in development, reverse engineering and a variety of associated trades is an essential one; the problem is that the debugger you want to use might not be the one you’re able to use. The options tend to be GDB (GNU Debugger) with its vast array of extensions and long-seated support, and LLDB (LLVM Debugger) with its newer design decisions but less community support.

For uncountable years the de-facto native debugger has been GDB (the GNU Debugger). However, there is a slow switch underway as Apple and Google now only officially support use of LLDB on iOS and Android respectively. While GDB is likely to continue to work on them for a while, there are benefits to using the supported debugger, not least that the publishers will listen to you when it doesn’t work.

The problem is that GDB has been extended by the community to make it a powerful tool for reverse engineering and vulnerability research, but the tools aren’t there yet for LLDB. There are a number of projects out there that provide a small number of features but when we think about the wide range of features provided by extensions for GDB such as GEF, and previously PEDA, it’s painful to try to use LLDB for equivalent research.

What?

So, in order to solve this problem, and add to the growing stack of pronunciation debates, Foundry Zero offers to you: LLEF.

LLEF provides a visual upgrade to the LLDB GUI replicating the familiar layout and theme of GEF. We have provided the much-needed standard breakpoint view from GEF - showing registers (including highlighting ones with changed values), stackframes, and basic disassembly.

If you want to see a static image of it rather than the above animation, there’s one here.

One of the more heavy-lifting features we have implemented is address dereferencing, resolving addresses to strings, further addresses, and symbols. We have also implemented iterative dereferencing so that when your address points to the stack which points to the heap which points to a symbol which is in fact a string, you know what you’re looking at.

Among other lower level changes, we have also made it very simple to add architecture support to LLEF, as long as LLDB supports that architecture (looking at you, MIPS). We have also designed the system in as modular and pythonic a way as possible so that if the community feels we’ve missed something important then they can implement their most-wanted features themselves (and maybe shoot us a pull request). The joy of open-source!

So if you find yourself frustrated with using native LLDB or have been meaning to make the upgrade from GDB but couldn’t live without GEF then maybe give LLEF a try: github.com/foundryzero/llef

Thanks

We’re obviously standing on the shoulders of giants here - we’d like to credit hugsy for GEF in particular, from which this tool draws heavy inspiration! Please consider this imitation as flattery 🙂