1) reip 2) dt 0x00411900 3) Bp If Address is omitted, the current instruction pointer is used
In WinDbg, you can create a conditional breakpoint by choosing Edit | Breakpoints , entering a new breakpoint address into the Command text box, and entering a condition into the Condition text box.
For each breakpoint, the command displays the following: The breakpoint ID. This is a decimal number that can be used to refer to the breakpoint in future commands. The breakpoint status: either e (enabled) or d (disabled). The letter u appears if the breakpoint is unresolved (that is, it does not match a symbolic reference in any currently loaded module. The virtual address or symbolic expression that constitutes the breakpoint location. If source line number loading has been enabled, the bl command displays file and line number information rather than address offsets. If the breakpoint is unresolved, the address is omitted here and appears at the end of the listing instead. (Data breakpoints only) Type and size information are displayed for data breakpoints. Possible types are: e (execute), r (read/write), w (write), or i (input/output). These types are followed with the size of the block, in bytes. See the ba (Break on Access) command for details. The number of passes remaining until the breakpoint is activated, followed by the initial number of passes in parentheses. (For more information, see the description of the Passes parameter in bp , bu , bm (Set Breakpoint) . The associated process and thread are displayed. If thread is given as &quot; *** &quot;, this indicates that this is not a thread-specific breakpoint. The module and function, with offset, corresponding to the breakpoint address. If the breakpoint is unresolved, the breakpoint address appears here instead, in parentheses. If the breakpoint is set on a valid address but symbol information is missing, this field will be blank. The command that will be automatically executed when this breakpoint is hit. This command is displayed in quotation marks.
WinDbg Basics Setting Breakpoints Homeoftester.com Aug. 2008
The bp , bu , and bm commands set new breakpoints, but they have different characteristics:
The bp (Set Breakpoint) command sets a new breakpoint at the address of the breakpoint location that is specified in the command. If the address expression of the breakpoint location is not resolvable when the breakpoint is set, the bp breakpoint is automatically converted to a bu breakpoint.
The bu (Set Unresolved Breakpoint) command sets a deferred or unresolved breakpoint . A bu breakpoint is set on a symbolic reference to the breakpoint location specified in the command (not on an address) and is activated whenever the module with the reference is resolved. Breakpoints set by using bu are saved in WinDbg workspaces.
The bm (Set Symbol Breakpoint) command sets a new breakpoint on symbols matching a specified pattern. This command can create more than one breakpoint. By default, after the pattern is matched, bm breakpoints are the same as bu breakpoints; they are deferred breakpoints that are set on a symbolic reference. However, a bm /d command creates one or more bp breakpoints. Each breakpoint is set on the address of a matched location and does not track module state.
A conditional breakpoint is created by combining a breakpoint command with j (Execute If - Else) and gc (Go from Conditional Breakpoint) to cause a break to occur only if a specific condition is satisfied.
bp PrimeHunter!printPrimes "j (poi(targetNumber)>0n5) '';'gc'"
Specifies the ID numbers of the breakpoints to be disabled / enabled . Any number of breakpoints can be specified; multiple IDs must be separated by spaces or by commas. A range of breakpoint IDs can be specified with a hyphen. An asterisk ( * ) can be used to indicate all breakpoints.
The ba command sets a data breakpoint , which will be triggered when the specified memory is accessed.
ba r4 targetNumber
The size of the location, in bytes, to be monitored for access. On an x86 processor, this parameter can be 1, 2, or 4 — unless Access equals e , in which case Size must be 1. On an x64 processor, this parameter can be 1, 2, 4, or 8 — unless Access equals e , in which case Size must be 1. On an Itanium processor, this parameter can be any power of 2, from 1 to 0x80000000. There can be no space between Access and Size .
(Windows XP and later, kernel mode only, x86 only) Breaks into the debugger when the I/O port at the specified Address is accessed. i (i/o) Breaks into the debugger when the CPU writes at the specified address. w (write) Breaks into the debugger when the CPU reads or writes at the specified address. r (read/write) Breaks into the debugger when the CPU fetches an instruction from the specified address. e (execute) Action Option