Set a condition breakpoint for Windbg

Condition breakpoint refers to executing custom judgments after the above three basic breakpoints are stopped.

Add custom Debugging commands after the basic breakpoint command to enable the debugger to execute the debugger command after the breakpoint is stopped. Each Command is separated by a semicolon.

Syntax format:

0: 000>BpAddress"J (Condition)'OptionalCommands'; 'Gc '"

0: 000>BpAddress". If (Condition){OptionalCommands}. Else {gc }"

These two are equivalent.

Of course

. If

{

}

. Else

{

}

Better understanding.

0: 000>Bp 'mysource. cpp: 100' "j (poi (MyVar)> 0n20)''; 'gc '"
0: 000>Bp 'mysource. cpp: 100' ". if (poi (MyVar)> 0n20) {}. else {gc }"

If MyVar is greater than 20, do not stop,

Otherwise, stop and debug.

The MyVar symbol represents the memory address of the symbol, rather than the value of the symbol. It is equivalent to the function of the & operator in C language. The poi command of Windbg is used to obtain the value of this address, which is equivalent to the * operator in C language. Therefore, the value of MyVar is obtained here.

Pseudo register to help save intermediate debugging information

What should I do if I want to record how many times a function has been executed? The simple method is to modify the code and record it at the corresponding function entry. However, what if the function to be recorded is a system API?

Set register condition breakpoint

When the eax value is 0xa3Breakpoint Sop. No problem, Hah.

0: 000>Bp mydriver! MyFunction "j @ eax = 0xa3''; 'gc '"
0: 000>Bp mydriver! MyFunction ". if @ eax = 0xa3 {}. else {gc }"

But the following is not necessarily the case. When the value in eax is0xc0004321,

It may not be broken down.

Why?

The reason is that in kernel mode, MASM will perform symbol extension on values in EAX.

Then 0xc0004321 will become 0xFFFFFFFFc0004321

Of course, it cannot be broken down.

0: 000>Bp mydriver! MyFunction "j @ eax = 0xc0004321''; 'gc '"
0: 000>Bp mydriver! MyFunction ". if @ eax = 0xc0004321 {}. else {gc }"

What should we do? Let's take a look.

0: 000>Bp mydriver! MyFunction "j (@ eax & 0x0 'ffffffff) = 0x0 'c0004321''; 'gc '"
0: 000>Bp mydriver! MyFunction ". if (@ eax & 0x0 'ffffffff) = 0x0 'c0004321 {}. else {gc }"

Good luck, high definition 0!

The following command counts how many times VirtualAllocEx has been executed:

Bp/1/c @ $ csp @ $ ra; g

Bp kernel32! VirtualAllocEx "r $ t0 = @ $ t0 + 1;. printf/" function executes: % d times/", @ $ t0;. echo; g"

$ T0 is the pseudo register provided by Windbg. It can be used to store intermediate information. Here we use it to store the number of function executions. The r command can be used to view and modify the value of the Register (both the CPU register and the Windbg pseudo register are valid. Pick a busy process and use this command to set the breakpoint and observe:

0: 009> bp kernel32! VirtualAllocEx "r $ t0 = @ $ t0 + 1;. printf
/"Function executes: % d times/", @ $ t0;. echo; g"
0: 009> g
Function executes: 1 times
Function executes: 2 times
Function executes: 3 times
Function executes: 4 times
...

Haha, this is indeed a good method.