How to break a fucntion with windows debugger

Hi ,

I have a code running in a machine and have windbg connected in the other end.
I want to break at a particular function say “reset_memory_func”.

I gave bp my_module!reset_memory_fucn -
This shows “couldn’t resolve at my_module!reset_memory_fucn”

i have also tried with bu , its not breaking.Any help is appreciated.

Check if your symbols for my_module are loaded correctly

On Tue, Feb 2, 2016 at 7:42 PM, wrote:

> Hi ,
>
> I have a code running in a machine and have windbg connected in the other
> end.
> I want to break at a particular function say “reset_memory_func”.
>
> I gave bp my_module!reset_memory_fucn -
> This shows “couldn’t resolve at my_module!reset_memory_fucn”
>
> i have also tried with bu , its not breaking.Any help is appreciated.
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

xxxxx@gmail.com wrote:

I have a code running in a machine and have windbg connected in the other end.
I want to break at a particular function say “reset_memory_func”.

I gave bp my_module!reset_memory_fucn -
This shows “couldn’t resolve at my_module!reset_memory_fucn”

Please be careful with your typing, because you could be masking a real
problem. Note, in particular, that the function name in your error
message is NOT the same as the function name in your first paragraph.
The spelling must, of course, match exactly.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> Hi ,

I have a code running in a machine and have windbg connected in the other
end.
I want to break at a particular function say “reset_memory_func”.

I gave bp my_module!reset_memory_fucn - This shows “couldn’t resolve at
my_module!reset_memory_fucn”

i have also tried with bu , its not breaking.Any help is appreciated.

After you set the breakpoint, what does “bl” show you? You will be able to see if it has resolved the address of the function etc.

James

Hi,

I"m very thankful for response.

@dhananjay - Hi, unfortunately i don’t have the pdb files . would i be able to break a function of a particular module with out pdb files? i guess i would retrieve the function address with the help of pdb files and break with bp.

@Tim - thanks and sorry , it was a typo - i have tried with proper name, multiple times but not able to break.This function name i have collected from the module prints.

@james - Hi, as bp and bu is showing error to set break point - bl display’s blank

Thank You

Hi all,

Please advice , is it possible to break a module function without pdb files.

Thanks in Advance

OT: Do not spam the list like this, it’s really annoying. Your last post was
in the middle of the night in the US, there is absolutely no need to post a
follow up that just asks the same question again. Repeated violations will
result in moderation.

Back to the topic at hand…

If you don’t have PDBs you can only break on a function based on its
address, not its symbolic name.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@windbg…

Hi all,

Please advice , is it possible to break a module function without pdb files.

Thanks in Advance

xxxxx@gmail.com wrote:

@dhananjay - Hi, unfortunately i don’t have the pdb files . would i be able to break a function of a particular module with out pdb files? i guess i would retrieve the function address with the help of pdb files and break with bp.

That’s right. Without the PDB, your function name does not exist
anywhere in the binary. There’s no way for the debugger to look it up.

If you have a linker map file, you might be able to figure out the
offset of the function, but if you had the map file, you’d probably have
the PDB…


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@gmail.com wrote:

Please advice , is it possible to break a module function without pdb files.

Could you find the function by hand, even with a binary editor? If not,
then it should be clear that windbg can’t, either.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi Scot,

I apologize to disturb every one at uncomfortable time.

back to topic -

If you don’t have PDBs you can only break on a function based on its address,
not its symbolic name.

As you mentioned , without pdb , by function address windbg could set a break point.
I couldn’t retrieve the function address by command “x my_module!* and x my_module!reset_memory_fun” without pdb files.

Is there any other way to retrieve the function address? I have the proper function name in my hand.

Thanks in advance.

to reiterate windbg does not know or understand names unless you feed
it a pdb or a map or some such hack that could let windbg rename the
address 0x12345678 to foo!blah

only then and only then you can set a breakpoint with names otherwise
you have no option other than setting a breakpoint with address

if your module is loading on different address everytime you can use
the modulebase+rva syntax to set a breakpoint like bp notepad+1405
where notepad can vary on every restart and wouldnt matter (simulating
bu wit hbp)

if you know the function start address you can save the byte and
hardcode a 0xcc in place and windbg will always break on that address
you can replace the hardcoded 0xcc to the saved byte and go ahead

hope it is clear

On 2/4/16, xxxxx@gmail.com wrote:
> Hi Scot,
>
> I apologize to disturb every one at uncomfortable time.
>
> back to topic -
>
>>If you don’t have PDBs you can only break on a function based on its
>> address,
>>not its symbolic name.
>
> As you mentioned , without pdb , by function address windbg could set a
> break point.
> I couldn’t retrieve the function address by command “x my_module!* and x
> my_module!reset_memory_fun” without pdb files.
>
> Is there any other way to retrieve the function address? I have the proper
> function name in my hand.
>
> Thanks in advance.
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:>

xxxxx@gmail.com wrote:

> If you don’t have PDBs you can only break on a function based on its address,
> not its symbolic name.
As you mentioned , without pdb , by function address windbg could set a break point.
I couldn’t retrieve the function address by command “x my_module!* and x my_module!reset_memory_fun” without pdb files.

Is there any other way to retrieve the function address? I have the proper function name in my hand.

How would you do it? Take your executable file and open it up in a text
editor. Do it, just to convince yourself. Look through the
gobbledygook, and you will not find your function name anywhere in the
file. If it’s not in the file, then NO ONE can find it. There is no
magic here.

You’ve asked this question three times and received three identical
answers. If you don’t believe us, then you’d better post a good reason why.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for everything Tim,I totally believe you.

I was a bit diverted with multiple suggestions .

Thanks again.