Reputation: 6691
Windows kernel conditional breakpoint not evaluating
I'm using the windows kernel debugger through visual studio 2013 and I'm trying to stop (break) in a function (nt!KiSwapContext) but only for a specific process (0x920).
The breakpoint works without a condition bp nt!KiSwapContext
I determined the Process ID for the current thread can be found with dt dword poi(gs:[188h])+3B8h
I've confirmed the following conditional works to see if I am on the right thread: ? poi(poi(gs:[188h])+3B8h)==0x920
However, when I try to set the conditional breakpoint it always breaks no matter what I put in the if/else . So I am guessing it thinks the expression is invalid and is just ignoring it. I've confirmed that if I do enter an invalid expression it just accepts it without warning or error and always stops on the breakpoint.
The expression I am using is: bp nt!KiSwapContext ".if (poi(poi(gs:[188h])+3B8h)==0x920) {} .else {gc}"
I also tried using the j conditional syntax to no avail.
Any ideas on what I am doing wrong?
[Edit] Oh, as a bonus, how can I do the conditional check with a dword instead of a qword on a 64 bit processor. ? poi(poi(gs:[188h])+3B8h) returns a qword value. I know I can use dd to get the value, but I can't seem to figure out how to add that into the conditional. Something like ? dword(poi(gs:[188h])+3B8h)==0x920 or ? {dd poi(gs:[188h])+3B8h}==0x920
Upvotes: 3
Views: 682
Answers (1)
Reputation: 9007
windbg allows you to set process specific breakpoints with /p
you shouldn't be mucking with gs and fs registers
kd> bl
kd> !process 0 0 calc.exe
Failed to get VAD root
PROCESS 8113d528 SessionId: 0 Cid: 07a0 Peb: 7ffde000 ParentCid: 043c
DirBase: 03d27000 ObjectTable: e15ba240 HandleCount: 28.
Image: calc.exe
kd> bp /p 8113d528 nt!KiSwapContext "?? (char *)(@$proc->ImageFileName)"
kd> g
char * 0x8113d69c
"calc.exe"
nt!KiSwapContext:
804db828 83ec10 sub esp,10h
kd> g
char * 0x8113d69c
"calc.exe"
nt!KiSwapContext:
804db828 83ec10 sub esp,10h
use dwo() and qwo () as required to evaluate dword and qword
kd> ? qwo ( ffb9cda8 + 70)
Evaluate expression: -9142252815570161280 = 81203180`81203180
kd> ? dwo ( qwo ( ffb9cda8 + 70))
Evaluate expression: -4600296 = ffb9ce18
confirmation
kd> dd 81203180 l1
81203180 ffb9ce18
kd> dd ffb9cda8+70 l1
ffb9ce18 81203180
Edit
I cant access an x64 system atm so cant tell you what is the error in your expression
but in general you should avoid hardcoding unless it is absolutely necessary
in your case it is not necessary
windbg provides you pseudo registers to what you are hard coding
$thread to c++ Expression for CurrentThread * ie (nt!_ETHREAD *) .
so $thread->Cid.UniqueProcess is what you are evaluating with your gsexxxxx
with that in mind you can set a breakpoint like this
bp nt!KiSwapContext " r? $t0 = @$thread->Cid.UniqueProcess ;.if( @$t0 != 0x740 ) {? @$t0;?? (char * )@$proc->ImageFileName ;gc }"
this conditional will break only in calc.exe is the Current Process
kd> g
Evaluate expression: 404 = 00000194
char * 0x81105c84
"csrss.exe"
XXXXXXXXXXX
Evaluate expression: 4 = 00000004
char * 0x8129196c
"System"
xxxxxxxxxxxxxxxxxxxxxxxxxxx
Evaluate expression: 1404 = 0000057c
char * 0x8114a4bc
"vpcmap.exe"
Evaluate expression: 480 = 000001e0
char * 0x8112a98c
"services.exe"
Evaluate expression: 492 = 000001ec
char * 0x811cc9ac
"lsass.exe"
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Evaluate expression: 1116 = 0000045c
char * 0xffaf9da4
"explorer.exe"
Evaluate expression: 644 = 00000284
char * 0xffb74f14
"svchost.exe"
nt!KiSwapContext: <---------------------------Conditional broke here
804db828 83ec10 sub esp,10h
kd> ? @$t0;?? (char * )@$proc->ImageFileName
Evaluate expression: 1856 = 00000740
char * 0x8110e76c
"calc.exe"
keep in mind evaluating conditions in a very hot path will make you endure unbearable pain watching it crawl by
nt!kiSwapContext is called hundreds of times in few seconds and you will be seeing a very noticeable performance degradation in your Session
whenever possible use process specific or thread specific breakpoints do not evaluate conditions
no i don't use any cheat sheet ( google says there are few available ) i prefer manual or in some cases online msdn documentation
Upvotes: 5
Related Questions
- executing command after breakpoint with Windbg doesn't work?
- conditional breakpoint does not work in windbg
- Breakpoint isn't hitting in WinDBG
- Kernel debugger does not crash system with .crash
- Windbg conditional breakpoints ignore condition itself
- How to break on the entry point of a program when debug in kernel mode with windbg?
- Windbg conditional break point not working as expected, is my syntax correct?
- Failed to Set Breakpoint in WinDbg
- How to configure WinDbg to be one of the optional debuggers when application hit a user defined break point?
- windbg setting conditional breakpoint