Set the condition breakpoint in windbg

Conditional breakpoint: breakpoint command + "J (excecute if-else) and GC (go from conditional breakpoint )"
Example: BP address "J (condition) 'optionalcommands'; 'gc '"

Here, we will briefly explain how to write the following conditional statements.

1. Non-struct variables: "J (POI (myvar)> 5)''; 'gc '"

In the code, myvar is an integer variable. The default debug configuration adopts the MASM syntax. Therefore, myvar is treated as a pointer. You need to use poi to dereference it when determining the conditions. If the debug configuration adopts the C ++ syntax, myvar is parsed as an integer variable and can be directly used for condition determination. If the condition is true, the corresponding statement is null. If the condition is met, it is broken here. GC indicates that the operation continues from the breakpoint.

2. struct Variables "J (@ C ++ (mystruct-> Field)> 5)''; 'gc '"

When determining a member variable in a struct variable, use the C ++ syntax to parse the expression: @ C ++ (...). Because the default configuration is the MASM syntax, this method is used to parse struct members.

3. Registers 1 "j @ eax = 0xa3''; 'gc '"<1>
2 "j @ eax = 0xc0004321''; 'gc '"<2>
3 "J (@ eax & 0x0 'ffffffff) = 0x0 'c0004321''; 'gc '"<3>

<1>: this breakpoint is triggered when the eax value is 0xa3.
In the MASM expression, registers are extended by symbols, that is, 0xc0004321 is actually regarded as 0xffffffff'c0004321, even if it is 0xc00004321. This symbolic extension only exists in the kernel mode. Therefore, formula <2> fails in kernel mode. The best way to change is to compare conditions according to the formula <3>. This method can be used for both kernel mode and user mode.

In addition, there is also a write expression method for pseudo registers, so you can see it later.