Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic commands for Windbg – breakpoints Part 5 – Conditional Breakpoints By Anand George.

Published byNeal Robertson Modified over 5 years ago

Similar presentations

Presentation on theme: "Basic commands for Windbg – breakpoints Part 5 – Conditional Breakpoints By Anand George."— Presentation transcript:

1 Basic commands for Windbg – breakpoints Part 5 – Conditional Breakpoints
By Anand George

2 Conditional Breakpoints
Use to filter out the unnecessary breaks of bp, bm, bu, ba variant. A small “program” is given with the breakpoint command which decide to break or not. We can even use the program to print the stack on break and just “go” Its always better to use gc than g to go from a conditional break.

3 Conditional Breakpoints
bp HelloWorld!MyTestFunc ".if ( poi(testVar)>0n1500) {} .else {gc} "

4 Demo

5 Can be a bit more complicated.
bp kernel32!CreateEventW "$$<c:\\commands.txt“ .if != 0) { as /mu } .else ad /q ${/v:EventName} .if "Global*") == 0) gc .echo EventName

6 Try avoid complicated conditions
These scripts are more or less difficult to – debug. They are slow. Last and worst you wont find enough sample scripts anywhere to modify and accomplish the task.

7 Another better approach towards complicated debug script.
Just print everything and grep ( search ) using your favorite text editor. Mine is visual studio  Example – Find out if a called to nt! IoGetDmaAdapter is from a particular binary/code ( suspected malware where we don’t have the symbol but some suspicious address ranges in which any where eip can be present – may not be even a binary). It would be nice to have conditional breakpoint but it can be complicated and slow. Rather I recommended just print all the stacks and just grep ( search ) and it worked.

8 Other ways to filter the output ( kernel )
/1 Creates a "one-shot" breakpoint. After this breakpoint is triggered, the breakpoint is permanently removed from the breakpoint list. Give process context if possible. /p EProcess (Kernel mode only) Specifies a process that is associated with this breakpoint. EProcess should be the actual address of the EPROCESS structure, not the PID. The breakpoint is triggered only if it is encountered in the context of this process. Give thread context of interest if possible. /t EThread (Kernel mode only) Specifies a thread that is associated with this breakpoint. EThread should be the actual address of the ETHREAD structure, not the thread ID. The breakpoint is triggered only if it is encountered in the context of this thread. If you use /p EProcess and /t EThread , you can enter them in either order. /c MaxCallStackDepth Causes the breakpoint to be active only when the call stack depth is less than MaxCallStackDepth. You cannot combine this option together with /C. /C MinCallStackDepth Causes the breakpoint to be active only when the call stack depth is larger than MinCallStackDepth. You cannot combine this option together with /c.

9 Summary Conditional Breakpoints
Try grep( search ) in the non filtered output or partially filtered output than giving very complicated conditional breakpoint. Some other ways to filter the number of breaks.

10 Thank you

Download ppt "Basic commands for Windbg – breakpoints Part 5 – Conditional Breakpoints By Anand George."

Similar presentations

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
A Guide to Unix Using Linux Fourth Edition

A Guide to Unix Using Linux Fourth Edition
The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.

The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.
Filters using Regular Expressions grep: Searching a Pattern.

Filters using Regular Expressions grep: Searching a Pattern.
Advanced File Processing

Advanced File Processing
Unix Talk #2 (sed). 2 You have learned…  Regular expressions, grep, & egrep  grep & egrep are tools used to search for text in a file  AWK -- powerful.

Unix Talk #2 (sed). 2 You have learned…  Regular expressions, grep, & egrep  grep & egrep are tools used to search for text in a file  AWK -- powerful.
Guide to Linux Installation and Administration, 2e1 Chapter 7 The Role of the System Administrator.

Guide to Linux Installation and Administration, 2e1 Chapter 7 The Role of the System Administrator.
Advanced File Processing. 2 Objectives Use the pipe operator to redirect the output of one command to another command Use the grep command to search for.

Advanced File Processing. 2 Objectives Use the pipe operator to redirect the output of one command to another command Use the grep command to search for.
Linux Operations and Administration

Linux Operations and Administration
Chapter Five Advanced File Processing Guide To UNIX Using Linux Fourth Edition Chapter 5 Unix (34 slides)1 CTEC 110.

Chapter Five Advanced File Processing Guide To UNIX Using Linux Fourth Edition Chapter 5 Unix (34 slides)1 CTEC 110.
Chapter Five Advanced File Processing. 2 Objectives Use the pipe operator to redirect the output of one command to another command Use the grep command.

Chapter Five Advanced File Processing. 2 Objectives Use the pipe operator to redirect the output of one command to another command Use the grep command.
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.

Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
Chapter 8 – Main Memory (Pgs 315 - 350). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.

Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
Win32 Programming Lesson 25: Unhandled Exceptions Bet you’ve never encountered one of those, eh?

Win32 Programming Lesson 25: Unhandled Exceptions Bet you’ve never encountered one of those, eh?
Presentation Name / 1 www.ezesoft.com Visual C++ Builds and External Dependencies NAME.

Presentation Name / 1 Visual C++ Builds and External Dependencies NAME.
Chapter Five Advanced File Processing. 2 Lesson A Selecting, Manipulating, and Formatting Information.

Chapter Five Advanced File Processing. 2 Lesson A Selecting, Manipulating, and Formatting Information.
Chapter 3: Linux & Processes Let’s look at some data.

Chapter 3: Linux & Processes Let’s look at some data.
Lesson 4-Mastering the Visual Editor. Overview Introducing the visual editor. Working in an existing file with vi. Understanding the visual editor. Navigating.

Lesson 4-Mastering the Visual Editor. Overview Introducing the visual editor. Working in an existing file with vi. Understanding the visual editor. Navigating.
Classwork: Common Errors Primary keys: don’t forget them! Primary keys: choose the best one! – “Name” and “birthday” are not the best choices. – “Phone.

Classwork: Common Errors Primary keys: don’t forget them! Primary keys: choose the best one! – “Name” and “birthday” are not the best choices. – “Phone.
Source Level Debugging of Parallel Programs Roland Wismüller LRR-TUM, TU München Germany.

Source Level Debugging of Parallel Programs Roland Wismüller LRR-TUM, TU München Germany.

Similar presentations

Ads by Google