Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


conditional breakpoints with register value

Burkhardt_BraunBurkhardt_Braun Member Posts: 11

Dear Readers,
I use windbg 6.12.... AMD64 with a Windows 7 x64 target.
I want to break in a function at a particular register value.

My real problem is bigger, but even simple statements like

nt!KeWaitForSingleObject "j((ax=1)) '.echo \"Breakpoint hit, condition (ax=1)\"' ; 'gc'"
nt!KeWaitForSingleObject "j(eax=1) '.echo \"Breakpoint hit, condition eax=1\"' ; 'gc'"
nt!KeWaitForSingleObject "j(@eax=1) '.echo \"Breakpoint hit, condition @eax=1\"' ; 'gc'"
nt!KeWaitForSingleObject "j(@rax=1) '.echo \"Breakpoint hit, condition @rax=1\"' ; 'gc'"
nt!KeWaitForSingleObject "j(rax==1) '.echo \"Breakpoint hit, condition rax==1\"' ; 'gc'"
nt!KeWaitForSingleObject "j(@rax==1) '.echo \"Breakpoint hit, condition @rax==1\"' ; 'gc'"

are breaking, independent of the register value.

What do I miss here?

Regards
Burkhardt

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    Never used the j command, I always do this with .if/.else:

    bp nt!KeWaitForSingleObject ".if (@rax == 1) { .echo "Breakpoint hit, condition @rax==1" } .else {gc}"

    Note that you can test out your conditional statement outside of the bp syntax, which I always find helpful as I try to debug them. For example:

    0: kd> g
    Breakpoint 0 hit
    nt!KeWaitForSingleObject:
    fffff801`2e642fe0 48895c2410      mov     qword ptr [rsp+10h],rbx
    0: kd> r @rax
    rax=0000000000006000
    0: kd> .if (@rax == 0x6000 ) { .echo "Breakpoint hit, condition @rax==0x6000" }
    Breakpoint hit, condition @rax==0x6000
    

    Now you know your .if works so you can add in the .else and throw it into the bp command:

    bp nt!KeWaitForSingleObject ".if (@rax == 1) { .echo "Breakpoint hit, condition @rax==1" } .else {gc}"

    (I must also say that checking the value of @rax at the start of a function isn't necessarily that helpful, it's not used as part of any calling convention)

    -scott
    OSR

  • Burkhardt_BraunBurkhardt_Braun Member Posts: 11

    Thank you very much!

    Yours commands did not work, copy-pasting them leads to "Malformed string..." errors at the quotation mark.
    Removing them was successfully. A statement like:
    bp nt!KeWaitForSingleObject ".if (@rax == 0) { .echo Breakpoint hit, condition @rax==0 } .else {gc}"
    is now properly working!

    I choose rax reg only for simplification.
    Best regards
    Burkhardt

  • 0xrepnz0xrepnz Member Posts: 102
    edited December 2023

    Personally I think that using the "/w" option in bp is the simplest way to do conditional breakpoints, For example:

    bp /w "@rax == 0x0" nt!KeWaitForSingleObject 
    

    It's possible to use any 'dx expression' in there, like:

    bp /w "@$curprocess.Name == \"myproc.exe\"" nt!KeWaitForSingleObject

    - Ori Damari
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online