WINDBG-BP, BM, BU, bl, BC, BA (breakpoints, hardware breakpoints)

BP

BP command is a breakpoint at an address , BP 0x7783feb can also be BP myapp! SomeFunction.

For the latter, WinDBG will automatically find myapp! SomeFunction the corresponding address and set a breakpoint. But the problem with BP is:

1) When the code changes, the function address changes, the breakpoint remains in the same position, not necessarily continue to be valid;

2) WinDBG does not save the BP breakpoint in the working space

bp address or BP pseudo register or BP symbol name:

0:000> x simple1demo! Csimple1demoapp::initinstance 00640080 simple1demo! Csimple1demoapp::initinstance (void)0: the> bp00640080   0: the>BL0E00640080     0001(0001)0:* * * * simple1demo!csimple1demoapp::initinstance0: the> x kernel32!loadlibraryw 7c80aeeb kernel32! Loadlibraryw = <no Type information>0: the> BP kernel32!Loadlibraryw0: the>BL0E00640080     0001(0001)0:* * * * simple1demo!csimple1demoapp::initinstance1E 7c80aeeb0001(0001)0:* * * * kernel32!Loadlibraryw0: the>BP $exentry0: the>BL0E00640080     0001(0001)0:* * * * simple1demo!csimple1demoapp::initinstance1E 7c80aeeb0001(0001)0:* * * * kernel32!Loadlibraryw2E 0061c8950001(0001)0:* * * * simple1demo! ilt+14480(_wwinmaincrtstartup)

The above example shows that three kinds of usage is the same, both are BP address (WinDbg inside will be replaced by the symbol file corresponding address, or pseudo register address)

BP/1 address indicates that the breakpoint is a one-time breakpoint, somewhat similar to F4 acting on the OD, and is automatically deleted once activated:

such as BP/1 00640080

BP Address passes indicates the number of times to ignore before the specified breakpoint is activated

By default, breakpoints are activated the first time the breakpoint is executed at the point of the code. This default is the same as setting the Passes to 1 . To make a breakpoint active after the program executes at least one time, you can set the value to 2 or greater. For example, a value of 2 causes a breakpoint to be activated the second time it executes to that code. This parameter creates a counter that is reduced by 1 each time the code at the breakpoint is executed. To view the initial and current values of the Passes counter, use the bl (breakpoint List). Passes is only reduced when the program responds to the g (Go) command and executes through a breakpoint. Single Step or trace (tracing) through it is not reduced. When Passes arrives at 1 , you can reset it by clearing and resetting the breakpoint.

Let's try to use BC to remove the previous breakpoint, and then set the breakpoint to be activated at the third run of Loadlibraryw

0:> bc*  0: > bl  0:3   0:> bl   0 e 7c80aeeb     0003 (  0003)  0:* * * * kernel32! Loadlibraryw  

We notice that this breakpoint shows the 0003 (0003) F5 run:

0: the>G Breakpoint0Hit eax=00000002ebx=7ffdc000 ecx=00000000edx=00a8660c esi=0263f76e edi=0263f6f2 EIP=7c80aeeb Esp=0012fd68 ebp=0012fdb0 iopl=0nv up ei pl nz na po NC cs=001b ss=0023ds=0023es=0023fs=003b gs=0000Efl=00000202kernel32!Loadlibraryw:7c80aeeb 8BFF mov edi,edi0: the>BL0E 7c80aeeb0001(0003)0:* * * * kernel32! Loadlibraryw

We notice that this breakpoint now shows 0001 (0003), which means that it was ignored two times before.

The bu command is for a breakpoint under a symbol . Like Bu myapp!. SomeFunction.  After the code has been modified, the breakpoint can be automatically updated to the latest position as the function address changes. And the BU breakpoint is saved in the Windbg workspace, and the breakpoint is automatically set up the next time you start Windbg. In addition, when the module is not loaded, the BP breakpoint will fail (because the function address does not exist) and the BU breakpoint can succeed. The new WinDbg will automatically be converted to BU when BP fails.

The BM command is also for symbols under breakpoints. However, it supports matching expressions . Most of the time you have several breakpoints. For example, put MyClass all the member functions down breakpoints: Bu myapp! MyClass::*, or put all functions starting with CreateWindow at the breakpoint: Bu user32! createwindow*

This function is useful, for example, I want to break a breakpoint on a function that starts with draw:

0: the> bc*0: the>BL0: the> BM *!draw*1:00695930@!"simple1demo! Drawstate"    2: 0175c790 @!"skinlog! Drawstate"    3: 019f65d0 @!"skinscroll! Drawstate"    4: 10119d10 @!"skinhgy! Drawstate"  0: the>BL1E00695930     0001(0001)0:* * * * simple1demo!drawstate2E 0175c7900001(0001)0:* * * * skinlog!drawstate3E 019f65d00001(0001)0:* * * * skinscroll!drawstate4E 10119d100001(0001)0:* * * * skinhgy! Drawstate

The BL (breakpoint list) command lists information about breakpoints that already exist

For each breakpoint, the command displays the following information:

• The breakpoint ID. The ID is a decimal number that can reference this breakpoint in other commands.
• The breakpoint state. It can be either E ( enabled) or D (disabled).
• If the letter "U" appears, the breakpoint is undefined. That is, the symbol reference in the breakpoint does not match any currently loaded module.
• The virtual address or symbol expression for the breakpoint location. If source line number loading is enabled, theBL command displays the file and line number information instead of the address offset. If the breakpoint is undefined, its address is omitted and appears at the end of the list.
• (data breakpoints only) the type and size information of the data breakpoint is displayed. The type can be e (execute), R (read/write),W (write), or i (input/output). The type is followed by the size in bytes. For more information about this type of breakpoint, view BA (Break on Access).
• The number of remaining times that the breakpoint needs to be ignored before it is activated, followed by the initial number in parentheses. (For more information on this breakpoint, see the description of the Passes parameter in BP, BU, BM (Set breakpoint).) )
• The associated processes and threads. If the thread is represented by a three asterisk ("* * *"), this is not a breakpoint for the specified thread.
• Modules and functions that match the breakpoint address, and offsets. If it is an undetermined breakpoint, it will be replaced with a breakpoint address enclosed in parentheses. If the breakpoint is set at a legitimate address, but there is no symbolic information, the field is empty.
• The command to be executed automatically when the breakpoint is triggered. This command is enclosed in quotation marks.

The BC (breakpoint Clear) command removes the previously set breakpoint from the system.

Use an asterisk (*) to specify all breakpoints

Memory Breakpoint (Hardware breakpoint)

The ba command is a command against a breakpoint on the data that is triggered when the specified memory is accessed. The command format is

BA Access Size [ Address]

Access is a way of accessing, such as e (execute), R (read/write), W (write)

The size is the sized, in bytes, of the location where the monitor is accessed. The value is 1, 2, or 4, or it can be 8 (64-bit machine).

If access is e,size must be 1

For example, to write to the memory 0x0483dfe when the breakpoint, you can use the command BA W4 0x0483dfe

Cannot add a space between Access and Size

0:> bc*  0: > ba R4 00a76748    0:000 > bl   040001 (0001)  0:* * * * Simple1demo! 'string'

Sometimes we just want the program to break on a thread:

Can be used:

0:005> ~1BP simple1demo!drawstate0:005>BL0E 0134bfc00001(0001)0:~001Simple1demo!drawstate0:005> BP simple1demo!drawstate0:005>BL0E 0134bfc00001(0001)0:~001Simple1demo! Drawstate

Front-to-end indicates that the debugger stops only when the specified thread ID of 1 executes on the address where the breakpoint is reached.

Under X86, DR0-DR3 records the breakpoint address value, DR6 is the status register of breakpoints, and DR7 is the control register of the breakpoint.

Also, when the initial breakpoint hits, the hardware breakpoint cannot be set, and if set, the following error is obtained:

0:> ba R1           7c92120fset  Breakpoint Error The  system resets thread Contexts after the process  set.  Goto the executable's entry point andset it then  .

The system resets the thread context after the initial breakpoint, so the hardware breakpoint cannot be set, it is recommended to go to the program's entrance before setting

0:002> ba E1 00bc1b3a   0  redefined    0:002 > r dr0  dr0=00bc1b3a  

WINDBG-BP, BM, BU, bl, BC, BA (breakpoints, hardware breakpoints)