Breakpoint in physical adress

RAM_KUMAR · August 7, 2012, 9:00am

Hi All,
Is it possible to put a breakpoint on physical address? i used to check physical address’s in windbg like !dd 80000000+4444. i want to break into debugger when some function writes the value to it.
Thanks,
RaaM

mm1 · August 7, 2012, 2:52pm

Not directly, no.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, August 07, 2012 6:00 AM
To: Kernel Debugging Interest List
Subject: [windbg] Breakpoint in physical adress

Hi All,
Is it possible to put a breakpoint on physical address? i used to check
physical address’s in windbg like !dd 80000000+4444. i want to break into
debugger when some function writes the value to it.
Thanks,
RaaM

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · August 7, 2012, 3:17pm

xxxxx@gmail.com wrote:

Is it possible to put a breakpoint on physical address? i used to check physical address’s in windbg like !dd 80000000+4444. i want to break into debugger when some function writes the value to it.

The x86 hardware breakpoint unit only works in virtual addresses. If
you can find all of the virtual mappings of your physical address, you
can set hardware write breakpoints on those addresses.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · August 10, 2012, 4:11pm

there is one !ubp which documentation says sets bp on physical whatever
though i never got it to work

rereading you question iam not sure if it would work like break on
access ba type break either

anyway i have used !eb (write byte to physical address ) some times to
work as software breakpoint like below which i infer is not what you
asked at all after rereading your question

kd> !process 0 0 testubp.exe
PROCESS 8112e030 SessionId: 0 Cid: 02a0 Peb: 7ffdd000 ParentCid: 0534
DirBase: 05a49000 ObjectTable: e1a346e8 HandleCount: 15.
Image: testubp.exe

kd> .process /p /r /P 8112e030
Implicit process is now 8112e030
.cache forcedecodeptes done
Loading User Symbols
...........
kd> !grep -i -e "MessageBoxW+" -c "!process 0 3f testubp.exe"
0012ff64 00401017 USER32!MessageBoxW+0x45 (FPO: [Non-Fpo])

kd> !vtop 0 00401017
X86VtoP: Virt 00401017, pagedir 39000000
X86VtoP: PDE 39000004 read error 0x8007001E

Virtual address 401017 translation fails, error 0x8007001E. <--------
we lost context it seems

need to set context again

kd> .process /p /r /P 8112e030
Implicit process is now 8112e030
.cache forcedecodeptes done
Loading User Symbols
...........

kd> !vtop 0 00401017
X86VtoP: Virt 00401017, pagedir 5a49000
X86VtoP: PDE 5a49004 - 077b4067
X86VtoP: PTE 77b4004 - 018fd005
X86VtoP: Mapped phys 18fd017
Virtual address 401017 translates to physical address 18fd017.

kd> !db 18fd017 l10

18fd017 6a 00 68 78 21 40 00 68-bc 21 40 00 6a 00 ff d6 j.hx!@.h.!@.j...

kd> db 401017 l10
00401017 6a 00 68 78 21 40 00 68-bc 21 40 00 6a 00 ff d6 j.hx!@.h.!@.j...

kd> !eb [c] 18fd017 cc

kd> !db 18fd017 l10

18fd017 cc 00 68 78 21 40 00 68-bc 21 40 00 6a 00 ff d6 ..hx!@.h.!@.j...

kd> db 401017 l10
00401017 cc 00 68 78 21 40 00 68-bc 21 40 00 6a 00 ff d6 ..hx!@.h.!@.j...

kd> g
watchdog!WdUpdateRecoveryState: Recovery enabled.
Break instruction exception - code 80000003 (first chance)

21: );
testubp!wmain+0x17:
001b:00401017 cc int 3

kd> du poi(@eip+3);du poi(@eip+8)
00402178 "for Physical Breakpoint Checking"
004021b8 ""
004021bc "This Is the Second MessageBox"
kd> !eb [c] 18fd017 6a rechange the bp to orig opcode so we can continue

kd> !vtop 0 4021bc
X86VtoP: Virt 004021bc, pagedir 5a49000
X86VtoP: PDE 5a49004 - 077b4067
X86VtoP: PTE 77b4008 - 05bcd025
X86VtoP: Mapped phys 5bcd1bc
Virtual address 4021bc translates to physical address 5bcd1bc.
kd> !du 5bcd1bc l20

5bcd1bc "This Is the Second MessageBox"

kd> !eb [c] 5bcd1bc 4c 00 45 00 45 00 54 00
kd> !du 5bcd1bc l20

5bcd1bc "LEET Is the Second MessageBox"

kd> bp 401025

kd> g

Breakpoint 0 hit

21: );
testubp!wmain+0x25:
001b:00401025 ffd6 call esi

kd> du poi(esp+4)
004021bc "LEET Is the Second MessageBox" LEET change in physical page

On 8/8/12, Tim Roberts wrote:
> xxxxx@gmail.com wrote:
>> Is it possible to put a breakpoint on physical address? i used to check
>> physical address's in windbg like !dd 80000000+4444. i want to break into
>> debugger when some function writes the value to it.
>
> The x86 hardware breakpoint unit only works in virtual addresses. If
> you can find all of the virtual mappings of your physical address, you
> can set hardware write breakpoints on those addresses.
>
> --
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> ---
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> OSR Seminars – OSR
>
> To unsubscribe, visit the List Server section of OSR Online at
> ListServer/Forum
>