Is there something wrong with the following syntax. I am trying to set a
conditional breakpoint on kesetevent if the first argument (object handle )
is a particular handle that I m interested to know who is setting.
nt!KeSetEvent+0x7 “j (poi(@ebp + 0x8)) = 0x81b71ad8 ‘’;‘gc’”
For one, it makes the system horribly slow and two it spits out the
following error message when I forcibly break into the system:
0: kd> g
Memory access error at ‘)) = 0x81b71ad8 ‘’;‘gc’’
nt!KeSetEvent+0x7:
804fa023 57 push edi
Wonder whats up, the above syntax tested on my private method works fine to
test the first parameter.Looks like kesetevent is using the stdcall
convention ( or is it the winapi convention, whatever it is called but
importantly kesetevent clears the stack on a return ).
thanks
banks
Actually, never mind. I found a terrible debug hack to do the same thing for
me. Put a jmp code in nt!keresetevent to a method in my driver more like a
scratch pad method. By comparing [ebp+0x8] with handle id and followed by
int 3 in this scratch pad code, I could get the same effect albeit without
slowing the system down.
thanks
banks
“bank kus” wrote in message news:xxxxx@windbg…
> Is there something wrong with the following syntax. I am trying to set a
> conditional breakpoint on kesetevent if the first argument (object
> handle ) is a particular handle that I m interested to know who is
> setting.
>
> nt!KeSetEvent+0x7 “j (poi(@ebp + 0x8)) = 0x81b71ad8 ‘’;‘gc’”
>
> For one, it makes the system horribly slow and two it spits out the
> following error message when I forcibly break into the system:
> 0: kd> g
> Memory access error at ‘)) = 0x81b71ad8 ‘’;‘gc’’
> nt!KeSetEvent+0x7:
> 804fa023 57 push edi
>
> Wonder whats up, the above syntax tested on my private method works fine
> to test the first parameter.Looks like kesetevent is using the stdcall
> convention ( or is it the winapi convention, whatever it is called but
> importantly kesetevent clears the stack on a return ).
>
> thanks
> banks
>
>
>