Before I got distracted with cred roaming and new netlogon goodness… we were talking about breakpoints.

 

We discussed basic commands and then saw some uses for the command string parameter.

 

[~Threadbp[ID] [Options] [Address [Passes]] ["CommandString"

 

Some other things you can do is get creative with enabling and disabling of breakpoints.

 

Say you want to set a BP on a very common call like – advapi32!CommonCall but you don’t want to hit all of the instances.

 

You can set a BP on the caller  mycode!caller and then use this BP to enable the next one for advapi32!CommonCall

 

Lets say that your ‘common call’ is USER32!DialogBox2.

 

 

0:000> KL

ChildEBP RetAddr 

001ff638 7689b5bc ntdll!KiFastSystemCallRet

001ff63c 76891598 USER32!NtUserWaitMessage+0xc

001ff670 76891460 USER32!DialogBox2+0x202

001ff698 768914a2 USER32!InternalDialogBox+0xd0

001ff6b8 768b12de USER32!DialogBoxIndirectParamAorW+0x37

001ff6dc 77001832 USER32!DialogBoxParamW+0x3f

001ff700 7711a0e5 SHELL32!SHFusionDialogBoxParam+0x32

001ff734 0057441c SHELL32!ShellAboutW+0x40

001ff7b8 00571576 notepad!NPCommand+0x718

001ff7dc 768a1a10 notepad!NPWndProc+0x4cf

001ff808 768a1ae8 USER32!InternalCallWinProc+0x23

001ff880 768a2a47 USER32!UserCallWinProcCheckWow+0x14b

001ff8e4 768a2a98 USER32!DispatchMessageWorker+0x322

001ff8f4 005714e9 USER32!DispatchMessageW+0xf

001ff928 00571971 notepad!WinMain+0xe3

001ff9b8 76b63833 notepad!__mainCRTStartup+0x140

001ff9c4 77b1a9bd kernel32!BaseThreadInitThunk+0xe

001ffa04 00000000 ntdll!_RtlUserThreadStart+0x23

 

 

Set your breakpoints.

 

0:000> bp USER32!DialogBox2

0:000> bp USER32!DialogBoxParamW

 

Note that the 2 are enabled and have an identification of 0 and 1

 

0:000> bl

 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW

 

 

Now – we don’t want to hit BP0 all the time – lets say that its called from 20 other places, so go ahead and disable it.

 

0:000> bd 0

0:000> bl

 

 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW

 

 

Now we set up the BP1 to enable the BP0 when it hits, and then ‘go’

 

0:000> bp 768b129f      "be 0;g"

breakpoint 1 redefined

 

0:000> bl

 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW "be 0;g"

 

 

Note that the BP0 is disabled… Now go and see  what happens

 

 

0:000> g

Breakpoint 0 hit

eax=00520576 ebx=00000000 ecx=00520576 edx=01920570 esi=00000001 edi=00630ccc

eip=76891244 esp=001ff674 ebp=001ff698 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

USER32!DialogBox2:

76891244 8bff            mov     edi,edi

 

0:000> bl

 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW "be 0;g"

 

 

When we hit BP1, it enables the BP0 and then goes… we then breakin on BP0  in a more specific manner.

 

 spatdsg