How to Set Breakpoint in WinDbg on api-ms-* Calls in Windows 10

Question

For example IDA Pro shows import table containing function CheckTokenMembership in library api-ms-win-security-base-l1-2-0

Checking MSDN info for API call https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx it says it is in advapi32.dll

However trying

bp advapi32!CheckTokenMembership

Results in error Couldn't resolve error at 'advapi32!CheckTokenMembership'

Answer 1

I verified on a crash dump file that advapi32.dll exports the CheckTokenMembership function, so setting a breakpoint should be possible. It's likely in your scenario the module has not yet been loaded, so how about trying 'bu' instead? From WinDbg help:

• The bu (Set Unresolved Breakpoint) command sets a deferred or unresolved breakpoint. A bu breakpoint is set on a symbolic reference to the breakpoint location that is specified in the command (not on an address) and is activated whenever the module with the reference is resolved. For more information about these breakpoints, see Unresolved Breakpoints (bu Breakpoints).

76b51ca2 advapi32!CheckTokenMembership ()

Answer 2

CheckTokenMembership is and always will be exported by advapi32.dll. The problem is that WinDbg uses the symbol name if you have symbols for said module.

What I would do is type bp ADVAPI32!CheckTokenMembership and then press Tab and you should end up with bp ADVAPI32!CheckTokenMembershipStub. This trick does not work for everything, sometimes you have to figure out the forward yourself or take a peek at the ntdll.dll and kernelbase.dll exports.

api- files do not contain code, they are just a layering exercise that Microsoft is forcing on everyone for some reason. I believe they are a result of the MinWin experiment and they might possibly some day contain code but even then kernel32 and friends will still have forwarders to maintain compatibility so there is no reason for anyone outside Microsoft to use the api- files (IMHO).