当遇到地址 (ba) 断点时检查 Windbg 中的数据

发布于 2024-08-15 10:43:01 字数 306 浏览 3 评论 0原文

我想创建一个断点,这样它将创建另一个一次性断点,当写入该内存时,该断点将“dd”某个内存地址。

因此,当命中断点时,我想运行如下命令:

  ba w4 @ESP+4 /1 ''dd [memory address of this breakpoint]''

由于此断点是由另一个断点创建的(并且可能会被调用多次),因此我无法指定断点编号。否则我可以使用像“$bp3”这样的伪寄存器来获取断点#3的内存地址

有人对如何创建一个可以“dd”断点内存地址的断点命令有任何想法吗?

谢谢你!

I'd like to create a breakpoint such that it will create another one-time breakpoint that will 'dd' a certain memory address when that memory is written to.

So when the breakpoint is hit, I'd like to run a command like:

  ba w4 @ESP+4 /1 ''dd [memory address of this breakpoint]''

Since this breakpoint is being created by another breakpoint (and could potentially be called several times), I can't specify the breakpoint number. Otherwise I could use a pseudo register like '$bp3' to get the memory address of breakpoint #3

Would anyone have any thoughts on how to create a breakpoint command that can 'dd' the memory address of the breakpoint?

Thank you!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

心的憧憬 2024-08-22 10:43:01

您可以详细说明如何使用其他通用伪寄存器:t0..t19

bp your-address "r$t1=your-other-address; ba w4 @$t1 /1 \"dd @$t1;gc\""

you can elaborate to make use of other general purpose pseudo-registers: t0..t19

bp your-address "r$t1=your-other-address; ba w4 @$t1 /1 \"dd @$t1;gc\""
陌伤ぢ 2024-08-22 10:43:01

如果您知道永远不会定义多个“子”ba 断点,则实际上可以通过设置“控制”断点的命令来使用 @$bpN 伪寄存器to:

ba1 w4 /1 @esp+4 "dd @$bp1"

也就是说,指定应分配该新断点的断点编号,并且该断点的伪寄存器仍然在断点命令中定义。

但是,如果您认为控制断点将被多次命中并希望定义多个 ba 断点,那么这显然行不通,因为每次都会重新定义“断点 1”。但你仍然可以做到!

技巧是使控制断点的命令实际上包含文字地址文本,而不是尝试通过伪寄存器。您可以使用文本别名来做到这一点。

对您的控制断点尝试此操作:

bu @WHATEVER "aS /x ${/v:baaddy} @esp+4; .block{ ba w4 /1 baaddy \"dd baaddy\"; ad ${/v:baaddy} }"

当控制断点被击中时,会发生以下情况:

  • 为文本“baaddy”设置别名,其用于计算表达式 @esp+4< /代码>。
  • .block 确保后续发生别名扩展。
  • 然后,别名解释器将展开该块中所有出现的“baaddy”,除了 ad 命令中的情况(由于 /v 开关)。
  • 因此,如果 @esp+4 的值为 0x1234,则访问断点命令字面意思为:ba w4 /1 0x1234 \"dd 0x1234\"其中嵌入了实际地址。
  • 然后删除文本别名。

重要的是在末尾删除文本别名,否则下次命中此控制断点时,别名扩展将在 aS 命令之前发生,并且“baaddy”将是使用前一个值进行扩展。这也意味着这段文字很重要
第一次设置控制断点命令时别名不存在。

If you know there will never be more than one "child" ba breakpoint defined, you can actually use a @$bpN pseudo-register by setting the "controlling" breakpoint's command to:

ba1 w4 /1 @esp+4 "dd @$bp1"

That is, specify the breakpoint number that that this new breakpoint should be assigned, and the pseudo-register for that breakpoint is still defined within the breakpoint's command.

However, if you think the controlling breakpoint will be hit multiple times and want multiple ba breakpoints defined, that obviously won't work because then "breakpoint 1" will just be redefined each time. But you can still do it!

The trick is to make the controlling breakpoint's command actually contain the literal address text rather than try to go through a pseudo-register. And you can do that with text aliases.

Try this for your controlling breakpoint:

bu @WHATEVER "aS /x ${/v:baaddy} @esp+4; .block{ ba w4 /1 baaddy \"dd baaddy\"; ad ${/v:baaddy} }"

When the controlling breakpoint is hit, the following happens:

  • An alias is setup for the text "baaddy" with the value of evaluating the expression @esp+4.
  • The .block ensures that alias expansion happens for what follows.
  • The alias interpreter will then expand all occurrences of "baaddy" within the block, except for in the ad command (because of the /v switch).
  • So if the value of @esp+4 is 0x1234 the access breakpoint command literally becomes: ba w4 /1 0x1234 \"dd 0x1234\" with the actual address embedded in it.
  • Then the text alias is deleted.

It's important to delete the text alias at the end or the next time this controlling breakpoint is hit, the alias expansion will happen before the aS command, and "baaddy" will be expanded using the previous value. That also means it's important that this text
alias does not exist the first time you set the controlling breakpoint's command.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文