Problem setting software breakpoint

Hello everyone!

I am writing a WinDbg extension and I am getting a weird problem setting software
breakpoint at the address of function entry point. I think I am doing everything by the book:

  1. Enumerated symbols
  2. Found the symbol which is a function name I am interested in
  3. Made sure that the symbol IS a function and got it’s address
  4. Created a breakpoint object with AddBreakpoint
  5. Specified the address of the breakpoint with SetOffset
  6. Enabled breakpoint by adding DEBUG_BREAKPOINT_ENABLED flag.

Unfortunately when I try to run the program I am getting the following error:

Unable to insert breakpoint 0 at 1000bce0, Win32 error 299
“Only part of a ReadProcessMemory or WriteProcessMemory request was completed.”
bp0 at 1000bce0 failed

Important to note that I am not getting any errors while I am setting breakpoint. The error
I am getting when I am trying to run the program.

I saw a few people asking about the error 299 “ERROR_PARTIAL_COPY” and what it really
means but didn’t see any reasonable answer.

Any help is greatly appreciated. Thanks in advance!

In general, it means that you don’t have access to some part of the area of memory in question. However, in my experience, errors returned from DbgEng (although this one is ultimately coming from WriteProcessMemory) are not uncommonly meaningless or disturbingly misleading. Usually, the first thing that I check when I hit some strange error with DbgEng is to check to see if all the environment variables are set, as it seems to have a number of less than clear ways to complain about that, but I doubt that is the problem here.

A few questions:

  • What happens if you set the breakpoint through WinDbg normally and then execute it, rather than using your extension? Is the address itself accessible?

  • Is this XP/Vista/Longhorn/…?

  • Is it Win32/Win64/Win32OnWin64?

  • What symbol?

This is a very common error/problem with DbgEng and ReadProcessMemory/WriteProcessMemory, and they can be very difficult to figure out.

Please post the source code if you’re interested in proceeding.

Good luck,

mm

===

Hello everyone!

I am writing a WinDbg extension and I am getting a weird problem setting software breakpoint at the address of function entry point. I think I am doing everything by the book:

  1. Enumerated symbols

  2. Found the symbol which is a function name I am interested in 3. Made sure that the symbol IS a function and got it’s address 4. Created a breakpoint object with AddBreakpoint 5. Specified the address of the breakpoint with SetOffset 6. Enabled breakpoint by adding DEBUG_BREAKPOINT_ENABLED flag.

Unfortunately when I try to run the program I am getting the following error:

Unable to insert breakpoint 0 at 1000bce0, Win32 error 299 “Only part of a ReadProcessMemory or WriteProcessMemory request was completed.”

bp0 at 1000bce0 failed

Important to note that I am not getting any errors while I am setting breakpoint. The error I am getting when I am trying to run the program.

I saw a few people asking about the error 299 “ERROR_PARTIAL_COPY” and what it really means but didn’t see any reasonable answer.

Any help is greatly appreciated. Thanks in advance!

Martin,

Thank you very much for your response. I found the problem. Actually it is pretty obvious.
I am trying to set the breakpoint not in the memory where code is located. The reason it is
happening is the following:

  1. When loading symbols with SymLoadModule64 API user has to specify BaseAddr
    parameter - I guess the base address at where the symbol file is going to be loaded.
  2. Without knowing any better and based on some sample code I found on site I set it to
    0x10000000. Actually the comments to this API call say that value can be anything as long
    as it is not zero in case of PDB file.
  3. Clearly the symbol file was loaded at that address and the addresses of symbols
    enumerated where also from that range: 0x10021ce0, etc.
  4. The actual code is loaded in memory at completely different location - saw it by simply
    stepping through the code.

Unfortunately that doesn’t give me any idea on how to get the correct addresses of the
symbols for the file I debug. Why enumeration of the symbols gives wrong addresses?
One would assume that symbol file loaded in memory should have the correct addresses
for the executable it goes with, regardless where it is loaded.
Any idea?

Thanks for your help

Martin O’Brien wrote:
In general, it means that you don’t have access to some part of the area of memory in question. However, in my experience, errors returned from DbgEng (although this one is ultimately coming from WriteProcessMemory) are not uncommonly meaningless or disturbingly misleading. Usually, the first thing that I check when I hit some strange error with DbgEng is to check to see if all the environment variables are set, as it seems to have a number of less than clear ways to complain about that, but I doubt that is the problem here.
A few questions:
- What happens if you set the breakpoint through WinDbg normally and then execute it, rather than using your extension? Is the address itself accessible?
- Is this XP/Vista/Longhorn/…?
- Is it Win32/Win64/Win32OnWin64?
- What symbol?
This is a very common error/problem with DbgEng and ReadProcessMemory/WriteProcessMemory, and they can be very difficult to figure out.
Please post the source code if you’re interested in proceeding.
Good luck,
mm

===
Hello everyone!

I am writing a WinDbg extension and I am getting a weird problem setting software breakpoint at the address of function entry point. I think I am doing everything by the book:
1. Enumerated symbols
2. Found the symbol which is a function name I am interested in 3. Made sure that the symbol IS a function and got it’s address 4. Created a breakpoint object with AddBreakpoint 5. Specified the address of the breakpoint with SetOffset 6. Enabled breakpoint by adding DEBUG_BREAKPOINT_ENABLED flag.

Unfortunately when I try to run the program I am getting the following error:

Unable to insert breakpoint 0 at 1000bce0, Win32 error 299 “Only part of a ReadProcessMemory or WriteProcessMemory request was completed.”
bp0 at 1000bce0 failed

Important to note that I am not getting any errors while I am setting breakpoint. The error I am getting when I am trying to run the program.

I saw a few people asking about the error 299 “ERROR_PARTIAL_COPY” and what it really means but didn’t see any reasonable answer.

Any help is greatly appreciated. Thanks in advance!


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Enumerate the modules and get the base address. Use that.

I don’t specifically know the quickest way to do that in the windbg environment, but at least you know what to look for.

“Yan Brenman” wrote in message news:xxxxx@windbg…
Martin,

Thank you very much for your response. I found the problem. Actually it is pretty obvious.
I am trying to set the breakpoint not in the memory where code is located. The reason it is
happening is the following:
1. When loading symbols with SymLoadModule64 API user has to specify BaseAddr
parameter - I guess the base address at where the symbol file is going to be loaded.
2. Without knowing any better and based on some sample code I found on site I set it to
0x10000000. Actually the comments to this API call say that value can be anything as long
as it is not zero in case of PDB file.
3. Clearly the symbol file was loaded at that address and the addresses of symbols
enumerated where also from that range: 0x10021ce0, etc.
4. The actual code is loaded in memory at completely different location - saw it by simply
stepping through the code.

Unfortunately that doesn’t give me any idea on how to get the correct addresses of the
symbols for the file I debug. Why enumeration of the symbols gives wrong addresses?
One would assume that symbol file loaded in memory should have the correct addresses
for the executable it goes with, regardless where it is loaded.
Any idea?

Thanks for your help

Martin O’Brien wrote:
In general, it means that you don’t have access to some part of the area of memory in question. However, in my experience, errors returned from DbgEng (although this one is ultimately coming from WriteProcessMemory) are not uncommonly meaningless or disturbingly misleading. Usually, the first thing that I check when I hit some strange error with DbgEng is to check to see if all the environment variables are set, as it seems to have a number of less than clear ways to complain about that, but I doubt that is the problem here.
A few questions:
- What happens if you set the breakpoint through WinDbg normally and then execute it, rather than using your extension? Is the address itself accessible?
- Is this XP/Vista/Longhorn/…?
- Is it Win32/Win64/Win32OnWin64?
- What symbol?
This is a very common error/problem with DbgEng and ReadProcessMemory/WriteProcessMemory, and they can be very difficult to figure out.
Please post the source code if you’re interested in proceeding.
Good luck,
mm

===
Hello everyone!
I am writing a WinDbg extension and I am getting a weird problem setting software breakpoint at the address of function entry point. I think I am doing everything by the book:
1. Enumerated symbols
2. Found the symbol which is a function name I am interested in 3. Made sure that the symbol IS a function and got it’s address 4. Created a breakpoint object with AddBreakpoint 5. Specified the address of the breakpoint with SetOffset 6. Enabled breakpoint by adding DEBUG_BREAKPOINT_ENABLED flag.
Unfortunately when I try to run the program I am getting the following error:
Unable to insert breakpoint 0 at 1000bce0, Win32 error 299 “Only part of a ReadProcessMemory or WriteProcessMemory request was completed.”
bp0 at 1000bce0 failed
Important to note that I am not getting any errors while I am setting breakpoint. The error I am getting when I am trying to run the program.
I saw a few people asking about the error 299 “ERROR_PARTIAL_COPY” and what it really means but didn’t see any reasonable answer.
Any help is greatly appreciated. Thanks in advance!


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com