Breakpoint-related technologies and principles (2)

Continue to take notes on the OD breakpoint technology.

1. Hardware breakpoint:

The Intel CPU has eight Debug Registers (dr0-dr7), where dr0-dr3 is used to set the hardware breakpoint address, dr6 is saved, and dr7 is responsible for controlling. When the command is executed to the address indicated by Dr, the CPU is interrupted, waiting for further ollydbg operations.
In ollydbg, select a row and press the F4 key to execute the row to the specified position, that is, a hardware breakpoint is set temporarily.
Hardware access/Write breakpoint is broken when the hardware breakpoint is triggeredNext command.

Method:
Right-click the code and choose breakpoint> hardware execution. Right-click the register window and choose "view debug register". The setting is successful.
Choose "debug"> "Hardware breakpoint" to view all hardware breakpoints that have been set.


Advantages:
The program cannot detect such breakpoints.
Disadvantages:
You can set up to four at the same time.


2. Condition breakpoint \ condition record breakpoint
2.1 conditional breakpoint

It is actually a normal CC breakpoint, but the trigger of this breakpoint must meet the set conditions.

The help documentation of OD contains detailed condition expression specifications.

2.2 resumable recording
You can have more detailed condition settings than conditional breakpoints.

The [l] button in the toolbar opens the log window.



3. Message breakpoint
Windows is a message-driven system. A message breakpoint causes an interruption when a window function receives a message.

Method:Click W in the toolbar. If it is null, right-click and refresh.
Select a window object, right-click it, and choose Set message breakpoint.
Set the corresponding message code in message, such as 202 wm_lbuttonup.
Setting a message breakpoint usually stops at the system library function airspace. You only need to set the breakpoint in the memory segment (such as code) of the toolbar [M. (For example, memory access breakpoint)


A. For a stack, to view the address location for example, [esp + 8], double-click the address.


B. If you want to view all the messages to find useful information, you can initiate a message breakpoint on the function of information conversion.
For example, defwindowproca and translatemessage are defined to set breakpoints.





References:

Http://bbs.pediy.com/showthread.php? P = 1279874 # post1279874

Http://bbs.pediy.com/showthread.php? P = 1280177 # post1280177