Windbg debugging command 8 (BP, Bu, BM, BL, BC, Ba, Be, BD)
The following uses skinhgy as an example.
1.
BPThe command is inAn addressCan be BP 0x7783feb or
BP MyApp! Somefunction.
For the latter, windbg will automatically find MyApp! The address corresponding to somefunction and the breakpoint. However, the problem with using BP is:
1) After the code is modified, the function address changes and the breakpoint remains in the same position, not necessarily valid;
2) windbg does not save the BP breakpoint to the workspace.
BP address or BP pseudo register or BP symbol Name:
0: 000> X simple1demo! Csimple1demoapp: initinstance
- 00640080 simple1demo! Csimple1demoapp: initinstance (void)
- 0: 000> Back Propagation 00640080
- 0: 000> BL
- 0 e 00640080 0001 (0001) 0: ***** simple1demo! Csimple1demoapp: initinstance
- 0: 000> X Kernel32! Loadlibraryw
- 7c80aeeb Kernel32! Loadlibraryw = <no type information>
- 0: 000> BP Kernel32! Loadlibraryw
- 0: 000> BL
- 0 e 00640080 0001 (0001) 0: ***** simple1demo! Csimple1demoapp: initinstance
- 1 E 7c80aeeb 0001 (0001) 0: ***** Kernel32! Loadlibraryw
- 0: 000> BP $ exentry
- 0: 000> BL
- 0 e 00640080 0001 (0001) 0: ***** simple1demo! Csimple1demoapp: initinstance
- 1 E 7c80aeeb 0001 (0001) 0: ***** Kernel32! Loadlibraryw
- 2 E 0061c895 0001 (0001) 0: ***** simple1demo! ILT + 14480 (_ wwinmaincrtstartup)
The above example shows that the three functions are the same, all of which are BP address (windbg will replace the address corresponding to the symbol file or the address of the pseudo register)
BP/1 Address indicates that the breakpoint is a one-time breakpoint, which is somewhat similar to that of F4. once activated, it is automatically deleted:
For example, BP/1 00640080
BP address passes indicates the number of times the breakpoint is ignored before being activated.
By default, a breakpoint is activated when the code at the breakpoint location is executed for the first time. By defaultPassesSet1Is the same. You can set this value2Or larger. For example, the value is2The breakpoint is activated when the code is executed for the second time. This parameter creates a counter that is reduced by 1 when the code at each breakpoint is executed. To viewPassesThe initial value and current value of the counter. UseBL
(Breakpoint List).PassesOnly when the program respondsG (GO)Command andRunIt is reduced only when the breakpoint is used. A single step or trace won't be reduced through it. WhenPasses
Arrival1You can reset it by clearing and resetting breakpoints.
Let's try, use BC to delete all previous breakpoints, and then set to activate the breakpoint when loadlibraryw is run for the third time.
0: 000> BC *
- 0: 000> BL
- 0: 000> BP 7c80aeeb 3
- 0: 000> BL
- 0 e 7c80aeeb 0003 (0003) 0: ***** Kernel32! Loadlibraryw
We noticed that the breakpoint shows 0003 (0003) F5 running:
0: 000> G
- Breakpoint 0 hit
- Eax = 00000002 EBX = 7ffdc000 ECx = 00000000 edX = 00a8660c ESI = 0263f76e EDI = 0263f6f2
- EIP = 7c80aeeb ESP = 0012fd68 EBP = 0012fdb0 iopl = 0 NV up ei pl nz Na Po NC
- Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000202
- Kernel32! Loadlibraryw:
- 7c80aeeb 8bff mov EDI, EDI
- 0: 000> BL
- 0 e 7c80aeeb 0001 (0003) 0: ***** Kernel32! Loadlibraryw
We noticed that the breakpoint is currently displayed as 0001 (0003), indicating that we ignored it twice,
BuThe command isA symbol. For example
Bu MyApp! Somefunction. After the code is modified, the breakpoint can be automatically updated to the latest position as the function address changes. The bu breakpoint is stored in the windbg workspace. the breakpoint is automatically set when windbg is started next time. In addition, when the module is not loaded, the BP breakpoint will fail (because the function address does not exist), and the bu breakpoint will succeed. The new windbg will be automatically converted to Bu after BP fails.
BMThe command is alsoSymbol. But it supportsMatching expression. In many cases, you have several breakpoints. For example, place all member functions of myclass at the breakpoint: bu MyApp! Myclass: *, or break all functions starting with createwindow: bu USER32! Createwindow *
This function is useful. For example, if I want to break a breakpoint for all functions starting with draw:
0: 000> BC *
- 0: 000> BL
- 0: 000> BM *! Draw *
- 1: 00695930 @! "Simple1demo! Drawstate"
- 2: 0175c790 @! "Skinlog! Drawstate"
- 3: 019f65d0 @! "Skinscroll! Drawstate"
- 4: 10119d10 @! "Skinhgy! Drawstate"
- 0: 000> BL
- 1 E 00695930 0001 (0001) 0: ***** simple1demo! Drawstate
- 2 E 0175c790 0001 (0001) 0: ***** skinlog! Drawstate
- 3 E 019f65d0 0001 (0001) 0: ***** skinscroll! Drawstate
- 4 E 10119d10 0001 (0001) 0: ***** skinhgy! Drawstate
BL (breakpoint List)Command to list information about existing breakpoints
For each breakpoint, the command displays the following information:
- Breakpoint ID. This ID is a decimal number that can reference this breakpoint in other commands.
- Breakpoint status. It can beE (Enabled) orD(Disabled ).
- If the letter "U" appears, the breakpoint is not fixed. That is, the symbolic reference in the breakpoint does not match any currently loaded modules.
- The virtual address or symbol expression of the breakpoint location. If the source code line number loading is enabled,BLCommand to display the file and row number information instead of address offset. If the breakpoint is not fixed, its address will be omitted and appear at the end of the list.
- (Data breakpoint only)The type and size of the Data breakpoint are displayed. Type can beE(Execution ),R(Read/write ),W(Write) orI(Input/output ). Type is followed by the size in bytes. For more information about this type of breakpoint, seeBA (break on access).
- The number of remaining times to be ignored before the breakpoint is activated, followed by the initial number in parentheses. (For more information about such breakpoints, seePassesParameter description .)
- Associated processes and threads. If the thread uses three asterisks ("***") Indicates that this is not a breakpoint of a specified thread.
- The module, function, and offset that match the breakpoint address. If the breakpoint is not fixed, it will be replaced by the breakpoint Address enclosed in parentheses. If the breakpoint is set to a valid address but there is no symbolic information, this domain is empty.
- The command to be automatically executed when the breakpoint is triggered. This command is enclosed in quotation marks.
BC (breakpoint clear)Command to remove the previously set breakpoint from the system.
Use asterisks (*) To specify all breakpoints
Finally, we will introduce the BA breakpoint.
BaThe command isDataBreakpoint command, which is triggered when the specified memory is accessed. Command Format:
Ba Access size[Address]
Access is an access method, suchE(Execution ),R(Read/write ),W(Write)
SizeIs the size of the monitored access location, in bytes. The value can be 1, 2, or 4, or 8 (64-bit ).
For example, to perform a write operation on the memory 0x0483dfe, run the command Ba W4 0x0483dfe.
InAccessAndSizeCannot contain spaces.
0: 000> BC *
- 0: 000> BA R4 00a76748
- 0: 000> BL
- 0 e 00a76748 R 4 0001 (0001) 0: ***** simple1demo! 'String'
Be
BD disable breakpoint