More on Using Conditional Break Point

In previous article about using WinDBG’s conditional break-point for single condition of certain register value.

What if I want to break at certain address on multiple conditions of various register value ?

For example, to break at certain address when eax register has value between the range 0x400 and 0x475, I can write :

bp [address] “j ((@eax >= 0x400)&(@eax <= 0x475)) '';'gc'"

Another example, to break at certain address when eax = 0x3025 and esi = 0x4E :

bp [address] "j ((@eax = 0x3025)&(@esi = 0x4E)) '';'gc'"

OK, that's nice. But, what if the value to examine is in the form of pointer of some address ?

For example, at one of my debugging session, I want to examine the value of second parameter of one function (ebp+c) and it should break when this parameter, which is a windows message, is of the 0x0202 (WM_LBUTTONUP).

In other word, I want to break at that function only when the user perform mouse clicks, usually at some button.

After performing argument analysis, the window message value in this function is at the parameter ebp+0x0c.

It will be very easy when somehow, the value at this parameter is passed to some register, because then I can use the above conditional break-point pattern.

But the above conditional break-point pattern can not be use when this parameter is not found to be passed to any of the register.

In this case, I can use the ubiquitous "poi" operator provided by WinDBG :

bp [address] "j (poi(ebp+c)==0x202) '';'gc'"

The poi operator as in poi(ebp+c) will be evaluated to the value pointed to by address at location ebp+c (second argument). So, when this parameter contains the value 0x202 (WM_LBUTTONUP), WinDBG will break at the specified address.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: