How to get the adress of a C++ attribute from Windbg by script

Question

How can I get the address of an attribute of an instance in Windbg using a script file?

An attribute change unexpectedly and can't see from there the value is changed from the Visual Studio 2010 debugger and using a break point om the memory address doe snot help since I cannot unset the break point after the destructor of the class was called. The specific instance of the of the object where the error occur is also not fixed.

This is a user space application.

Answer 1

If I understand you correct, you need to set a ba (Break on Access), on the Address + offset of a C++ class instance. This is possible as long as the class in question not is instantiated a lot of times.

1) Create an ordinary bp break in the constructor after the the attribute is initialized.

bp Foo:Foo+<xxx>

You must figure out the offset of the attribute, Check here .

You must figure which register holds the this pointer at this moment.

2) Then modify the 1) break to set an additional ba (Break on Access)

The break address must then be calculated to the this + offset. It is important the ID is specified because we must delete the break in destructor

It should be something like:

bp <module>!Foo:Foo+<xxx> “ba[@eax] w4 @eax+4;gc ”
From hlp:
[~Thread] ba[ID] Access Size [Options] [Address [Passes]] ["CommandString"]

3) Set a code break (bp) in the destructor, and remove the ba from above Again ypu must find a register which directly or indirectly holds the this pointer. Something like:

bc[poi(@ebp-0x08)]

I have done this, it works as long as you don’t run out of breakpoints if the program instantiate too many.

NB: the syntax may not be 100% correct, it’s some time since last time.