Examine data in windbg when a break on address (ba

2019-03-05 22:33发布

问题:

I'd like to create a breakpoint such that it will create another one-time breakpoint that will 'dd' a certain memory address when that memory is written to.

So when the breakpoint is hit, I'd like to run a command like:

  ba w4 @ESP+4 /1 ''dd [memory address of this breakpoint]''

Since this breakpoint is being created by another breakpoint (and could potentially be called several times), I can't specify the breakpoint number. Otherwise I could use a pseudo register like '$bp3' to get the memory address of breakpoint #3

Would anyone have any thoughts on how to create a breakpoint command that can 'dd' the memory address of the breakpoint?

Thank you!

回答1:

you can elaborate to make use of other general purpose pseudo-registers: t0..t19

bp your-address "r$t1=your-other-address; ba w4 @$t1 /1 \"dd @$t1;gc\""


回答2:

If you know there will never be more than one "child" ba breakpoint defined, you can actually use a @$bpN pseudo-register by setting the "controlling" breakpoint's command to:

ba1 w4 /1 @esp+4 "dd @$bp1"

That is, specify the breakpoint number that that this new breakpoint should be assigned, and the pseudo-register for that breakpoint is still defined within the breakpoint's command.

However, if you think the controlling breakpoint will be hit multiple times and want multiple ba breakpoints defined, that obviously won't work because then "breakpoint 1" will just be redefined each time. But you can still do it!

The trick is to make the controlling breakpoint's command actually contain the literal address text rather than try to go through a pseudo-register. And you can do that with text aliases.

Try this for your controlling breakpoint:

bu @WHATEVER "aS /x ${/v:baaddy} @esp+4; .block{ ba w4 /1 baaddy \"dd baaddy\"; ad ${/v:baaddy} }"

When the controlling breakpoint is hit, the following happens:

  • An alias is setup for the text "baaddy" with the value of evaluating the expression @esp+4.
  • The .block ensures that alias expansion happens for what follows.
  • The alias interpreter will then expand all occurrences of "baaddy" within the block, except for in the ad command (because of the /v switch).
  • So if the value of @esp+4 is 0x1234 the access breakpoint command literally becomes: ba w4 /1 0x1234 \"dd 0x1234\" with the actual address embedded in it.
  • Then the text alias is deleted.

It's important to delete the text alias at the end or the next time this controlling breakpoint is hit, the alias expansion will happen before the aS command, and "baaddy" will be expanded using the previous value. That also means it's important that this text alias does not exist the first time you set the controlling breakpoint's command.