PowerPoint Slides


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 1) reip 2) dt 0x00411900 3) Bp If Address is omitted, the current instruction pointer is used
  • In WinDbg, you can create a conditional breakpoint by choosing Edit | Breakpoints , entering a new breakpoint address into the Command text box, and entering a condition into the Condition text box.
  • For each breakpoint, the command displays the following: The breakpoint ID. This is a decimal number that can be used to refer to the breakpoint in future commands. The breakpoint status: either e (enabled) or d (disabled). The letter u appears if the breakpoint is unresolved (that is, it does not match a symbolic reference in any currently loaded module. The virtual address or symbolic expression that constitutes the breakpoint location. If source line number loading has been enabled, the bl command displays file and line number information rather than address offsets. If the breakpoint is unresolved, the address is omitted here and appears at the end of the listing instead. (Data breakpoints only) Type and size information are displayed for data breakpoints. Possible types are: e (execute), r (read/write), w (write), or i (input/output). These types are followed with the size of the block, in bytes. See the ba  (Break on Access) command for details. The number of passes remaining until the breakpoint is activated, followed by the initial number of passes in parentheses. (For more information, see the description of the Passes parameter in bp , bu , bm (Set Breakpoint) . The associated process and thread are displayed. If thread is given as " *** ", this indicates that this is not a thread-specific breakpoint. The module and function, with offset, corresponding to the breakpoint address. If the breakpoint is unresolved, the breakpoint address appears here instead, in parentheses. If the breakpoint is set on a valid address but symbol information is missing, this field will be blank. The command that will be automatically executed when this breakpoint is hit. This command is displayed in quotation marks.
  • PowerPoint Slides

    1. 1. WinDbg Basics Setting Breakpoints Homeoftester.com Aug. 2008
    2. 2. The AUT –PrimeHunter <ul><li>PrimeHunter is a demo application to find prime numbers less than any given natural number </li></ul>
    3. 3. Breakpoint Cmds of WinDbg <ul><li>Bp </li></ul><ul><ul><li>Bp is the command to set one or more software breakpoints. It can be used to combine locations, conditions and options to set different kinds of software breakpoints. </li></ul></ul><ul><li>Bl </li></ul><ul><ul><li>Bl lists existing breakpoints </li></ul></ul><ul><li>Bc </li></ul><ul><ul><li>Bc clear existing breakpoints </li></ul></ul>
    4. 4. Bp vs Bu and Bm <ul><li>The bp , bu , and bm commands set new breakpoints, but they have different characteristics: </li></ul><ul><li>The bp  (Set Breakpoint) command sets a new breakpoint at the address of the breakpoint location that is specified in the command. If the address expression of the breakpoint location is not resolvable when the breakpoint is set, the bp breakpoint is automatically converted to a bu breakpoint. </li></ul><ul><li>The bu  (Set Unresolved Breakpoint) command sets a deferred or unresolved breakpoint . A bu breakpoint is set on a symbolic reference to the breakpoint location specified in the command (not on an address) and is activated whenever the module with the reference is resolved. Breakpoints set by using bu are saved in WinDbg workspaces. </li></ul><ul><li>The bm  (Set Symbol Breakpoint) command sets a new breakpoint on symbols matching a specified pattern. This command can create more than one breakpoint. By default, after the pattern is matched, bm breakpoints are the same as bu breakpoints; they are deferred breakpoints that are set on a symbolic reference. However, a bm /d command creates one or more bp breakpoints. Each breakpoint is set on the address of a matched location and does not track module state. </li></ul><ul><ul><li>A fun deserved to try bm * </li></ul></ul>
    5. 5. Set a breakpoint - Bp <ul><li>The Bp command can set a breakpoint </li></ul><ul><li>[ ~ Thread ]  bp [ ID ] [ Options ] [ Address  [ Passes ]] [ &quot; CommandString &quot; ]  </li></ul><ul><ul><li>The most important parameter: Address . It decides where to set the breakpoint </li></ul></ul><ul><ul><li>If Address is omitted, the current instruction pointer is used. (the register eip) </li></ul></ul><ul><li>bp </li></ul><ul><li>bp PrimeHunter!main+0x46 </li></ul><ul><li>bp PrimeHunter!printPrimes </li></ul>
    6. 6. Advanced Bp (1) <ul><li>Set a one-time breakpoint </li></ul><ul><li>/1 Creates a &quot;one-shot&quot; breakpoint. After this breakpoint is triggered, it is deleted from the breakpoint list. </li></ul><ul><ul><li>bp PrimeHunter!printPrimes /1 </li></ul></ul><ul><li>Break based on the depth of Call Stack </li></ul><ul><li>/c MaxCallStackDepth Activates the breakpoint only when the call stack depth is less than MaxCallStackDepth . This option cannot be combined with /C . </li></ul><ul><li>/C MinCallStackDepth Activates the breakpoint only when the call stack depth is greater than MinCallStackDepth . This option cannot be combined with /c . </li></ul><ul><ul><li>Bu PrimeHunter!printPrimes /c 1 </li></ul></ul><ul><ul><li>Bu PrimeHunter!printPrimes /C 5 </li></ul></ul>
    7. 7. Advance Bp (2) <ul><li>Set Conditional Breakpoints </li></ul><ul><li>A conditional breakpoint is created by combining a breakpoint command with j (Execute If - Else) and gc (Go from Conditional Breakpoint) to cause a break to occur only if a specific condition is satisfied. </li></ul><ul><ul><li>bp PrimeHunter!printPrimes &quot;j (poi(targetNumber)>0n5) '';'gc'&quot; </li></ul></ul>
    8. 8. Listing Breakpoints - BL <ul><li>The bl command lists information about existing breakpoints. </li></ul><ul><li>bl  [ Breakpoints ]   </li></ul><ul><li>0 e 7c92120e 0001 (0001) 0:**** ntdll!DbgBreakPoint </li></ul>
    9. 9. Clear Breakpoints - BC <ul><li>The bc command permanently removes previously set breakpoints from the system. </li></ul><ul><ul><li>Bc 0 </li></ul></ul><ul><ul><li>Bc * </li></ul></ul>
    10. 10. Disable/Enable Breakpoints –Bd and Be <ul><li>Bd / Be </li></ul><ul><li>Specifies the ID numbers of the breakpoints to be disabled / enabled . Any number of breakpoints can be specified; multiple IDs must be separated by spaces or by commas. A range of breakpoint IDs can be specified with a hyphen. An asterisk ( * ) can be used to indicate all breakpoints. </li></ul><ul><ul><li>Bd 0 </li></ul></ul><ul><ul><li>Be 0 </li></ul></ul>
    11. 11. Renumber breakpoints - Br <ul><li>The br command renumbers one or more breakpoints. </li></ul><ul><ul><li>br 0 2 </li></ul></ul>
    12. 12. Set a breakpoint on access - BA <ul><li>The ba command sets a data breakpoint , which will be triggered when the specified memory is accessed. </li></ul><ul><li>ba r4 targetNumber </li></ul><ul><ul><li>The size of the location, in bytes, to be monitored for access. On an x86 processor, this parameter can be 1, 2, or 4 — unless Access equals e , in which case Size must be 1. On an x64 processor, this parameter can be 1, 2, 4, or 8 — unless Access equals e , in which case Size must be 1. On an Itanium processor, this parameter can be any power of 2, from 1 to 0x80000000. There can be no space between Access and Size . </li></ul></ul>(Windows XP and later, kernel mode only, x86 only) Breaks into the debugger when the I/O port at the specified Address is accessed. i (i/o) Breaks into the debugger when the CPU writes at the specified address. w (write) Breaks into the debugger when the CPU reads or writes at the specified address. r (read/write) Breaks into the debugger when the CPU fetches an instruction from the specified address. e (execute) Action Option