Question

我想知道当一个寄存器获取特定值或指向特定值时，windbg中是否有一种方法可以在整个代码中设置断点。

更具体地说，代码中的某处返回“Err”。我想设置一个断点，每当EAX或其他寄存器指向像“Err”这样的东西时，停止代码。

我必须说在拆解器中找不到“Err”。

Answer 1

断点始终与软件断点或硬件断点的地址相关联

如果使用内存断点，它将在页面边界上触发（page_gaurd_violation）

除了你必须单步

你可以试试windbgs wt（带有深度参数的watch和trace命令）如果您只想观看eax（任何调用的返回值）

，请结合通用断点地址

以下示例

os windows 7 sp1 32位
windbg版 10.0.16299.15
debuggee calc.exe
通用断点 calc！WinMain

命令使用 wt -l 8 -or

在windbg中断之前，它会在这个深度中追踪大约7500个电话

>wc -l foo.txt & head foo.txt
7679 foo.txt

0:000> bp calc!WinMain
0:000> wt -l 8 -or
    3     0 [  0] ntdll!LdrpDoDebuggerBreak
   11     0 [  1]   ntdll!_SEH_epilog4 eax = 0
    4    11 [  0] ntdll!LdrpDoDebuggerBreak eax = 0
>> No match on ret
    4    11 [  0] ntdll!LdrpDoDebuggerBreak
   12     0 [  0] ntdll!LdrpInitializeProcess
*** ERROR: Module load completed but symbols could not be 
    1     0 [  1]   ntdll!NtQueryInformationProcess

并且你知道eax有88并且你想要检查它你可以使用这样的grep魔法

>grep -i "eax = .*88" foo.txt
   21     0 [  7]               msvcrt!_SEH_prolog4 eax = ef388
   21     0 [  8]                 KERNELBASE!_SEH_prolog4 eax = ee788
   14     0 [  8]                 ntdll!RtlpAllocateDebugInfo eax = 2c7b88
   21     0 [  7]               ntdll!_SEH_prolog4 eax = ef388
   44     0 [  8]                 ntdll!RtlAllocateHeap eax = 2c88c0
   57     0 [  8]                 ntdll!RtlDebugAllocateHeap eax = 2c88c0
    3     0 [  8]                 ntdll!RtlpAllocateHeap eax = 2c88c0
   15     0 [  8]                 ntdll!RtlAllocateHeap eax = 2c88c0
    6     0 [  7]               ole32!CPageAllocator::CPageAllocator eax = 76b88814
    6     0 [  7]               ole32!CPageAllocator::CPageAllocator eax = 76b87688
    6     0 [  7]               ole32!CPageAllocator::CPageAllocator eax = 76b86788
    3     0 [  6]             ole32!`dynamic initializer for 'arDcomInterfaces'' eax = 76a87988
   32     0 [  8]                 ole32!_onexit eax = 76a7e88b
   31    96 [  7]               ole32!ComVerifierSettings::ComVerifierSettings eax = 76b88aef
  104     0 [  8]                 ntdll!RtlDebugAllocateHeap eax = 2ca880
   11     0 [  8]                 ntdll!_SEH_epilog4 eax = 2ca880
   33   136 [  7]               ntdll!RtlpAllocateHeap eax = 2ca880
   44   169 [  6]             ntdll!RtlAllocateHeap eax = 2ca880
   14     0 [  5]           WINMM!WPP_INIT_CONTROL_ARRAY eax = 68d68f88
    7     0 [  8]                 WINMM!soundPlay eax = ffffffff`f7d0ed88
    7     0 [  8]                 WINMM!soundPlay eax = ffffffff`fbf886bb
   13     0 [  8]                 KERNELBASE!GetTickCount eax = 346883
    7     0 [  8]                 WINMM!soundPlay eax = ffffffff`ff48a886
    7     0 [  8]                 WINMM!soundPlay eax = 3010388

根据收集的样本数据缩小设置特定休息时间

这是一个特定的场景，你知道错误代码是0xc0000034，你知道你不想要NtOpenKey返回那个值但是其他一些api

你可以使用像这样的东西notic只有一个avast钩子返回你可以锁定的错误

>grep -i "eax =.*c.*34" foo.txt | grep -v -iE "ntopen|query|Image"
   18     0 [  8]                 KERNELBASE!BaseGetProcessDllPath eax = 2c634c
   51     0 [  8]                 KERNELBASE!BasepGetCachedPath eax = 2c634c
   18    80 [  7]               KERNELBASE!BaseGetProcessDllPath eax = 2c634c
   99     0 [  8]                 aswhookx eax = ffffffff`c0000034

如何在windbg中设置寄存器值的条件断点？

1 个答案: