当遇到地址 (ba) 断点时检查 Windbg 中的数据
我想创建一个断点,这样它将创建另一个一次性断点,当写入该内存时,该断点将“dd”某个内存地址。
因此,当命中断点时,我想运行如下命令:
ba w4 @ESP+4 /1 ''dd [memory address of this breakpoint]''
由于此断点是由另一个断点创建的(并且可能会被调用多次),因此我无法指定断点编号。否则我可以使用像“$bp3”这样的伪寄存器来获取断点#3的内存地址
有人对如何创建一个可以“dd”断点内存地址的断点命令有任何想法吗?
谢谢你!
I'd like to create a breakpoint such that it will create another one-time breakpoint that will 'dd' a certain memory address when that memory is written to.
So when the breakpoint is hit, I'd like to run a command like:
ba w4 @ESP+4 /1 ''dd [memory address of this breakpoint]''
Since this breakpoint is being created by another breakpoint (and could potentially be called several times), I can't specify the breakpoint number. Otherwise I could use a pseudo register like '$bp3' to get the memory address of breakpoint #3
Would anyone have any thoughts on how to create a breakpoint command that can 'dd' the memory address of the breakpoint?
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以详细说明如何使用其他通用伪寄存器:t0..t19
you can elaborate to make use of other general purpose pseudo-registers: t0..t19
如果您知道永远不会定义多个“子”
ba
断点,则实际上可以通过设置“控制”断点的命令来使用@$bpN
伪寄存器to:也就是说,指定应分配该新断点的断点编号,并且该断点的伪寄存器仍然在断点命令中定义。
但是,如果您认为控制断点将被多次命中并希望定义多个 ba 断点,那么这显然行不通,因为每次都会重新定义“断点 1”。但你仍然可以做到!
技巧是使控制断点的命令实际上包含文字地址文本,而不是尝试通过伪寄存器。您可以使用文本别名来做到这一点。
对您的控制断点尝试此操作:
当控制断点被击中时,会发生以下情况:
@esp+4< /代码>。
.block
确保后续发生别名扩展。ad
命令中的情况(由于 /v 开关)。0x1234
,则访问断点命令字面意思为:ba w4 /1 0x1234 \"dd 0x1234\"
其中嵌入了实际地址。重要的是在末尾删除文本别名,否则下次命中此控制断点时,别名扩展将在
aS
命令之前发生,并且“baaddy”将是使用前一个值进行扩展。这也意味着这段文字很重要第一次设置控制断点命令时别名不存在。
If you know there will never be more than one "child"
ba
breakpoint defined, you can actually use a@$bpN
pseudo-register by setting the "controlling" breakpoint's command to:That is, specify the breakpoint number that that this new breakpoint should be assigned, and the pseudo-register for that breakpoint is still defined within the breakpoint's command.
However, if you think the controlling breakpoint will be hit multiple times and want multiple
ba
breakpoints defined, that obviously won't work because then "breakpoint 1" will just be redefined each time. But you can still do it!The trick is to make the controlling breakpoint's command actually contain the literal address text rather than try to go through a pseudo-register. And you can do that with text aliases.
Try this for your controlling breakpoint:
When the controlling breakpoint is hit, the following happens:
@esp+4
..block
ensures that alias expansion happens for what follows.ad
command (because of the /v switch).@esp+4
is0x1234
the access breakpoint command literally becomes:ba w4 /1 0x1234 \"dd 0x1234\"
with the actual address embedded in it.It's important to delete the text alias at the end or the next time this controlling breakpoint is hit, the alias expansion will happen before the
aS
command, and "baaddy" will be expanded using the previous value. That also means it's important that this textalias does not exist the first time you set the controlling breakpoint's command.