memory breakpoint on access

WINDBG
1

does windbg offer a ba breakpoint that exceeds size of 4
can i set a breakpoint on access to a specific page not limiting
myself to 4 bytes or dword ?
here is a !vadump range sample i want to break when any code is executed in
image range of ntdll.dll at 77f51000 is it possible am i missing
something in the help file

set pageguard and break when guard page is accessed on this range kind
of breakpoint

to explain clearly a bit more any one that have used ollydbg would be aware of
alt+m (view memory ) (clone of !vadump extension in sdbgexts)
right click –> break on access

01000000
01001000
01014000
01016000
0101f000
77f50000

77f51000
BaseAddress:77f51000
RegionSize:00072000
State:00001000
Protect:00000020
Type:01000000
77fc3000
77fc8000
77ff7000

any pointer would be helpful

Thanks and Regards

raj_r

2

raj_r wrote:

does windbg offer a ba breakpoint that exceeds size of 4
can i set a breakpoint on access to a specific page not limiting
myself to 4 bytes or dword ?

No. “ba” is implemented by using the x86 hardware breakpoint
registers. Those registers can only set a 1, 2, or 4-byte range.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

You need some help from a bus analyzer or a hardware debugger with some
bus analyzer functionality in order to do this on x86/x64. If you’re
interested, this can be done with an Arium ECM-50, as well as with some
products from Agilent and Corelis. Not cheap, however.

mm

>> xxxxx@probo.com 2007-04-26 12:45 >>>
raj_r wrote:
does windbg offer a ba breakpoint that exceeds size of 4
can i set a breakpoint on access to a specific page not limiting
myself to 4 bytes or dword ?

No. “ba” is implemented by using the x86 hardware breakpoint
registers. Those registers can only set a 1, 2, or 4-byte range.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

raj_r wrote:

does windbg offer a ba breakpoint that exceeds size of 4
can i set a breakpoint on access to a specific page not limiting
myself to 4 bytes or dword ?
here is a !vadump range sample i want to break when any code is executed in
image range of ntdll.dll at 77f51000 is it possible am i missing
something in the help file

set pageguard and break when guard page is accessed on this range kind
of breakpoint

to explain clearly a bit more any one that have used ollydbg would be
aware of
alt+m (view memory ) (clone of !vadump extension in sdbgexts)
right click –> break on access

01000000
01001000
01014000
01016000
0101f000
77f50000

77f51000
BaseAddress:77f51000
RegionSize:00072000
State:00001000
Protect:00000020
Type:01000000
77fc3000
77fc8000
77ff7000

any pointer would be helpful

Thanks and Regards

raj_r

SoftICE (now killed by the Compuware corporate takeover) could set
whole-page breakpoints. This was probably implemented by simply
unmapping that page at the PTE level and catching the page faults inside
the debugger.

Just another reason I long preferred SoftICE over WinDbg.

For user-mode WinDbg, it might be possible to create a WinDbg extension
plug in which did the same thing using a combination of
VirtualProtect(), first-chance exception breakpoints and self-disguising
breakpoints on VirtualProtect/VirtualQuery. But for kernel mode WinDbg,
you are completely limited to the small vocabulary of the
mini-debug-server implemented inside ntoskrnl.


Jakob B?hm, M.Sc.Eng. * xxxxx@danware.dk * direct tel:+45-45-90-25-33
Danware Data A/S * Bregnerodvej 127 * DK-3460 Birkerod * DENMARK
http://www.netop.com * tel:+45-45-90-25-25 * fax tel:+45-45-90-25-26
Information in this mail is hasty, not binding and may not be right