1. A conditional breakpoint is a breakpoint command (BP or BU) that is used with the J command or the. If command followed by a GC command
0:000> bp Address "J (Condition) 'optionalcommands'; ' GC ' "
0:000> bp Address ". if (Condition) {optionalcommands}. else {GC}"
2. Here is the J command, the syntax of the J command is as follows, where expression is the expressions, by calculating the value of an expression, true points to Command1, false to Command2
J Expression Command1 ; Command2
J Expression 'Command1'; 'Command2'
Multiple commands can also be used here, multiple commands are enclosed in single quotes, and semicolons are used; Separated, if the command string has one, then single quotation marks can also be omitted
Command2 cannot add extra commands or additional semicolons, even if you add, the value after the Command2 semicolon is ignored.
0:000> J (mysymbol=0) ' r eax '; ' R ebx; R ecx ' if Mysymbol is 0, execute r eax, otherwise execute r ebx r ecx
You can omit the single quotation mark appended to r eax, and if you want to ignore the command, use a space directly as a marker
0:000> J (mysymbol=0) "; ' R ebx; R ECX '
0:000> J (mysymbol=0); ' R ebx; R ECX '
You can also use the J command in other commands, for example, you can use the J command to create a conditional breakpoint
0:000> bp ' mysource.cpp:143 ' "J (Poi (MyVar) >0n20) '; ' GC ' "
3. Here both say Z command Z (execute while), when the condition is set, the z command executes a command
User-mode
Command ; Z ( Expression )
Kernel-mode
Command ; [Processor] Z ( Expression )
Command : commands are executed at least once when the expression condition is true
In many debugger commands, semicolons are used to split irrelevant commands, and in the z command, the semicolon splits the z command from the command arguments
The command command is always executed at least once, and when the expression detects nonzero, it is executed again, and the expression is detected again, which behaves like a C-do-while loop, not a simple while loop
If there are many separate commands on the left side of "Z", all commands on the left side of Z will be executed when the expression is true.
If you add additional semicolons and additional commands after Z, these additional commands will be executed after the Lopp is complete, but it is generally not recommended because he produces meaningless output
Unless the other behavior expression becomes false
Note that you can nest Z commands
The following code shows a method of zeroing in a EAX register
0:000> reax = eax-1; Z (EAX)
The following code shows that the EAX and EBX registers are incremented until one of them is at least 8, and then the ECX register +1
0:000> reax=eax+1; rebx=ebx+1; Z ((eax<8) | ( EBX<8)); Recx=ecx+1 (come here to understand do-while easier to understand)
The following example uses the C + + expression syntax and then uses $t 0 as the register as the loop variable
0:000>. expr/s C + +
Current expression evaluator:c++-C + + source expressions
DB pindexcreate[@ $t 0].szkey; [Email protected]+1; Z (@ $t 0 < cindexcreate)
4. Say it here. If Mark (token)
.if ( Condition ) { Commands }
.if ( Condition ) { Commands } . else { Commands }
.if ( Condition ) { Commands } .elsif ( Condition ) { Commands }
.if ( Condition ) { Commands } .elsif ( Condition ) { Commands } . else { Commands }
Condition: If the condition evaluates to 0, it is false, otherwise, as true, the condition in parentheses is optional, the condition must be an expression, not a debugger command, it will be computed by MASM or C + + syntax
Commands: One or more commands are executed conditionally, the command block needs to be enclosed in curly braces, even if there is only one command inside, multiple commands should be separated by semicolons, but the last command does not need a semicolon
5. Here's the GC command (Go from Conditional Breakpoint)
The GC command resumes execution from a conditional breakpoint, the same as the breakpoint
This should be a GC command when the end of a conditional breakpoint contains a command to execute
0:000> bp Address "J (Condition) 'optionalcommands'; ' GC ' "
When the expression is false and a breakpoint is encountered, it will be executed with the same type as the last time, for example, you encounter this breakpoint with the G command and will resume execution, but when you step here, the GC will resume in a single step.
In addition, the following is an incorrect breakpoint formula that will always resume execution, even if you are stepping before you encounter a breakpoint
0:000> bp Address "J (Condition) 'optionalcommands'; ' G ' "
6. The basic syntax for conditional breakpoints using the J command is as follows:
0:000> bp Address "J (Condition) 'optionalcommands'; ' GC ' "
The syntax for conditional breakpoints using the. If flag is as follows:
0:000> bp Address ". if (Condition) {optionalcommands}. else {GC}"
The following command sets a breakpoint in the 143 line of the MYSOURC.DPP file, and when this breakpoint is triggered, the variable myvar is detected, if the variable is less than or equal to 20, the execution continues, and if it is greater than 20, the execution is stopped.
0:000> bp ' mysource.cpp:143 ' "J (Poi (MyVar) >0n20) '; ' GC ' "
0:000> bp ' mysource.cpp:143 '. if (POI (MyVar) >0n20) {}. else {GC} "
Here to explain a wave
The BP command is to set breakpoints, even if the above two examples use BP, you can still use the BU command
The source file and the number of rows are specified with ~
When the breakpoint is triggered, the command in the double quotation mark "" is executed, in the example above, the command is a J command or an. If tag, and the expression is tested in parentheses
In the source program, MyVar is an integer, and if you use C + + syntax, MyVar will act as an integer, in this case (already the default debugger configuration) using the MASM expression syntax,
In a MASM expression, MyVar is treated as an address, so you need the POI operator to dereference it
If your variable is a c pointer, then you need to dereference two times, like this poi (POI (myptr)), 0n prefix, which means that this is a 10 binary
The expressions in parentheses follow the two commands followed by the single quotation mark ' protection, followed by the ' if ' flag followed by the angle brackets {}, if the expression is true, the first command is executed,
In the example above, the first command is empty because the command is not executed and the control is given to the debugger, and if the expression in parentheses is false, the second command is executed
The second command should use the GC as much as possible because the command resumes execution just as it did before the breakpoint was last triggered (step, step, free to execute)
If you want to see the message each time you pass a breakpoint or a final hit, you can use a different command in single quotation marks or curly braces. For example:
0:000> bp ': 143 ' "J (Poi (MyVar) >5) '. Echo MyVar Too Big '; echo MyVar acceptable; GC ' "
0:000> bp ': 143 ' ". if (Poi (MyVar) >5) {. Echo MyVar Too Big}. else {. echo MyVar acceptable; GC} "
These comments are important if you have several breakpoints at the same time triggered, the debugger does not show which breakpoint hit
7. Conditional Breakpoints and register symbol extensions
You can set the conditional breakpoint above the register value, and the following command will be broken at the beginning of the MyFunction function, if the EAX register equals 0xa3
0:000> bp mydriver!myfunction "J @eax = 0xa3"; ' GC ' "
0:000> bp mydriver!myfunction ". If @eax = 0xa3 {}. else {GC}"
Note that similar commands below are not necessarily interrupted when eax equals 0xc0004321
0:000> bp mydriver!myfunction "J @eax = 0xc0004321"; ' GC ' "
0:000> bp mydriver!myfunction ". If @eax = 0xc0004321 {}. else {GC}"
The above command will fail because the MASM expression evaluates to a high of 1 for the symbol extension register, and when the value of EAX is 0xc0004321, it will be used as the 0xffffffff~c0004321,
But not in user mode, so the previous command in user mode will not work properly, if you block the high eax, the command will work in kernel mode, but now he will fail in user mode
In order for your command to work properly in both user and kernel mode, you should block the high 32 bits in the command above, with the and operator and Operation 0X00000000~FFFFFFFF
0:000> bp mydriver!myfunction "J (@eax & 0x0 ' ffffffff) = 0x0 ' c0004321 '; ' GC ' "
0:000> bp mydriver!myfunction ". if (@eax & 0x0 ' ffffffff) = 0x0 ' c0004321 {}. else {GC} '
8. Limitations of conditional breakpoints
If you control the user-State debugger from the kernel debugger, you cannot use conditional breakpoints or any other breakpoint command, such as the GC command, the G command, if you use these commands, the serial interface may not hold the number of breakpoints, and you will not be able to break back into the CDB
WinDbg Conditional Breakpoint Summary