conditional breakpoints with register value

Burkhardt_Braun · November 29, 2023, 12:52pm

Dear Readers,
I use windbg 6.12… AMD64 with a Windows 7 x64 target.
I want to break in a function at a particular register value.

My real problem is bigger, but even simple statements like

nt!KeWaitForSingleObject “j((ax=1)) ‘.echo "Breakpoint hit, condition (ax=1)"’ ; ‘gc’”
nt!KeWaitForSingleObject “j(eax=1) ‘.echo "Breakpoint hit, condition eax=1"’ ; ‘gc’”
nt!KeWaitForSingleObject “j(@eax=1) ‘.echo "Breakpoint hit, condition @eax=1"’ ; ‘gc’”
nt!KeWaitForSingleObject “j(@rax=1) ‘.echo "Breakpoint hit, condition @rax=1"’ ; ‘gc’”
nt!KeWaitForSingleObject “j(rax==1) ‘.echo "Breakpoint hit, condition rax==1"’ ; ‘gc’”
nt!KeWaitForSingleObject “j(@rax==1) ‘.echo "Breakpoint hit, condition @rax==1"’ ; ‘gc’”

are breaking, independent of the register value.

What do I miss here?

Regards
Burkhardt

Scott_Noone_OSR · December 6, 2023, 4:30pm

Never used the j command, I always do this with .if/.else:

bp nt!KeWaitForSingleObject ".if (@rax == 1) { .echo "Breakpoint hit, condition @rax==1" } .else {gc}"

Note that you can test out your conditional statement outside of the bp syntax, which I always find helpful as I try to debug them. For example:

0: kd> g
Breakpoint 0 hit
nt!KeWaitForSingleObject:
fffff801`2e642fe0 48895c2410      mov     qword ptr [rsp+10h],rbx
0: kd> r @rax
rax=0000000000006000
0: kd> .if (@rax == 0x6000 ) { .echo "Breakpoint hit, condition @rax==0x6000" }
Breakpoint hit, condition @rax==0x6000

Now you know your .if works so you can add in the .else and throw it into the bp command:

bp nt!KeWaitForSingleObject ".if (@rax == 1) { .echo "Breakpoint hit, condition @rax==1" } .else {gc}"

(I must also say that checking the value of @rax at the start of a function isn’t necessarily that helpful, it’s not used as part of any calling convention)

Burkhardt_Braun · December 8, 2023, 1:43pm

Thank you very much!

Yours commands did not work, copy-pasting them leads to “Malformed string…” errors at the quotation mark.
Removing them was successfully. A statement like:
bp nt!KeWaitForSingleObject “.if (@rax == 0) { .echo Breakpoint hit, condition @rax==0 } .else {gc}”
is now properly working!

I choose rax reg only for simplification.
Best regards
Burkhardt

0xrepnz · December 9, 2023, 9:21pm

Personally I think that using the “/w” option in bp is the simplest way to do conditional breakpoints, For example:

bp /w "@rax == 0x0" nt!KeWaitForSingleObject

It’s possible to use any ‘dx expression’ in there, like:

bp /w “@$curprocess.Name == "myproc.exe"” nt!KeWaitForSingleObject