WinDbg: how to know a break happened in WinDbg?

Question

How can I automate the debugging process?

I have a WinDbg script with some basic commands which I want to run when a break occurred in the process/application that I attached to WinDbg. How can I know that there is break in WinDbg, and how to launch the script automatically?

Answer 1

Python sample:

from pykd import *

def bpCallback():

    if is64bitSystem():
        objAttr = typedVar( "ntdll", "_OBJECT_ATTRIBUTES", reg("r8") ) 
    else:
        objAttr = typedVar( "ntdll", "_OBJECT_ATTRIBUTES", ptrPtr(reg("esp") + 0xC) )  

    name = loadUnicodeString( objAttr.ObjectName )

    dprintln( "NtCreateFile: " + name )

    return DEBUG_STATUS_GO_HANDLED


if not isWindbgExt():
    startProcess("notepad.exe")


if not isDumpAnalyzing() and not isKernelDebugging():
    
    nt = loadModule("ntdll")

    b1 = bp( nt.NtCreateFile, bpCallback )

    # wait for user break, exceptions or process exit
    go()

    dprintln( "stopped" )    

else:

    dprintln( "The debugger must be connected to live usermode process" )    

Python extension for windbg abailable here: pykd.codeplex.com

Answer 2

Are you running the application with windbg already attached, or are you JIT debugging? If the latter (i.e., you're relying on the setting in HKLM\Softare\Microsoft\Windows NT\AEDebug\Debugger), then simply modify the value of the Debugger key to use the "-c" command to run a command after the debugger attaches.

Assuming the former, then you could try starting the debugging server using a named pipe or tcp (with the .server command). You can then write a console app to start an instance of cdb as a client to connect to the aforementioned windbg server and have the app parse stdout until you see the debugger prompt. You can then effectively automate the debugging session from that point on. Thus, it gets reduced a parsing exercise, possibly wrapped in an FSM depending on how complex you want to get.

Answer 3

You can use the command string option when setting the breakpoint to run any windbg command. Have this run your script.

Something like:

bp  <address to set break> "$$><c:\\temp\\dbgscript.txt;g"

I believe you should be able to do the same thing with the sx command if you mean "when an exception is thrown" by "when there is a break occurred in the process".