Welcome to MSDN Blogs Sign in | Join | Help

Breakpoints 200

Before I got distracted with cred roaming and new netlogon goodness… we were talking about breakpoints.

 

We discussed basic commands and then saw some uses for the command string parameter.

 

[~Threadbp[ID] [Options] [Address [Passes]] ["CommandString"

 

Some other things you can do is get creative with enabling and disabling of breakpoints.

 

Say you want to set a BP on a very common call like – advapi32!CommonCall but you don’t want to hit all of the instances.

 

You can set a BP on the caller  mycode!caller and then use this BP to enable the next one for advapi32!CommonCall

 

Lets say that your ‘common call’ is USER32!DialogBox2.

 

 

0:000> KL

ChildEBP RetAddr 

001ff638 7689b5bc ntdll!KiFastSystemCallRet

001ff63c 76891598 USER32!NtUserWaitMessage+0xc

001ff670 76891460 USER32!DialogBox2+0x202

001ff698 768914a2 USER32!InternalDialogBox+0xd0

001ff6b8 768b12de USER32!DialogBoxIndirectParamAorW+0x37

001ff6dc 77001832 USER32!DialogBoxParamW+0x3f

001ff700 7711a0e5 SHELL32!SHFusionDialogBoxParam+0x32

001ff734 0057441c SHELL32!ShellAboutW+0x40

001ff7b8 00571576 notepad!NPCommand+0x718

001ff7dc 768a1a10 notepad!NPWndProc+0x4cf

001ff808 768a1ae8 USER32!InternalCallWinProc+0x23

001ff880 768a2a47 USER32!UserCallWinProcCheckWow+0x14b

001ff8e4 768a2a98 USER32!DispatchMessageWorker+0x322

001ff8f4 005714e9 USER32!DispatchMessageW+0xf

001ff928 00571971 notepad!WinMain+0xe3

001ff9b8 76b63833 notepad!__mainCRTStartup+0x140

001ff9c4 77b1a9bd kernel32!BaseThreadInitThunk+0xe

001ffa04 00000000 ntdll!_RtlUserThreadStart+0x23

 

 

Set your breakpoints.

 

0:000> bp USER32!DialogBox2

0:000> bp USER32!DialogBoxParamW

 

Note that the 2 are enabled and have an identification of 0 and 1

 

0:000> bl

 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW

 

 

Now – we don’t want to hit BP0 all the time – lets say that its called from 20 other places, so go ahead and disable it.

 

0:000> bd 0

0:000> bl

 

 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW

 

 

Now we set up the BP1 to enable the BP0 when it hits, and then ‘go’

 

0:000> bp 768b129f      "be 0;g"

breakpoint 1 redefined

 

0:000> bl

 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW "be 0;g"

 

 

Note that the BP0 is disabled… Now go and see  what happens

 

 

0:000> g

Breakpoint 0 hit

eax=00520576 ebx=00000000 ecx=00520576 edx=01920570 esi=00000001 edi=00630ccc

eip=76891244 esp=001ff674 ebp=001ff698 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

USER32!DialogBox2:

76891244 8bff            mov     edi,edi

 

0:000> bl

 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2

 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW "be 0;g"

 

 

When we hit BP1, it enables the BP0 and then goes… we then breakin on BP0  in a more specific manner.

 

 spatdsg

 

 

Published Thursday, June 28, 2007 7:24 AM by SpatDSG
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker