Find address of C++ static class member using WinDbg

Question

I'm not experienced with WinDbg and I'm attempting to set a data breakpoint (ba) on a static member variable in a C++ Win32 application to see when it is being corrupted by unintended writes. Let's call it MyClass::m_StaticData. I understand that first I need to find the memory address of MyClass::m_StaticData. However, I'm not sure how to find the address of a static member variable. I've found commands for local variables (dv) and class instances (dt) but I haven't found anything for statics.

Answer 1

use x command to find the address taking the example code in the answer posted by @Uriel

you can do some thing like this

execute until PeHeader->Address Of Entry Point

0:000> g @$exentry
static!mainCRTStartup:
00007ff7`22591390 4883ec28        sub     rsp,28h

examine the symbols (wild card is usable)

0:000> x static!*ob*count*
00007ff7`225f0be0 static!Box::objectCount = 0n0

just confirming with addressof operator

0:000> ? &static!Box::objectCount
Evaluate expression: 140699410303968 = 00007ff7`225f0be0

set a write breakpoint and continue

0:000> ba w1 &static!Box::objectCount

0:000> g

break point hit the rip is one instruction past the execution

Breakpoint 0 hit
static!Box::Box+0x54:
00007ff7`22591084 488b442408      mov     rax,qword ptr [rsp+8] ss:000000c4`0853f920=000000c40853f940

call stack

0:000> k
Child-SP          RetAddr           Call Site
000000c4`0853f918 00007ff7`22591026 static!Box::Box+0x54
000000c4`0853f920 00007ff7`22591290 static!main+0x26
(Inline Function) --------`-------- static!invoke_main+0x22
000000c4`0853f970 00007ffe`0f2a7344 static!__scrt_common_main_seh+0x10c
000000c4`0853f9b0 00007ffe`106626b1 KERNEL32!BaseThreadInitThunk+0x14
000000c4`0853f9e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

disassemble back to get the instruction that made the write bp hit

0:000> ub . l2
static!Box::Box+0x4c:
00007ff7`2259107c ffc0            inc     eax
<--- hardware bp stops after being executed 
00007ff7`2259107e 89055cfb0500    mov     dword ptr [static!Box::objectCount (00007ff7`225f0be0)],eax  
0:000>

Answer 2

Lets consider the following C++ code:

class Box {
   public:
      static int objectCount;
      Box(double l = 2.0, double b = 2.0, double h = 2.0) {
         length = l;
         breadth = b;
         height = h;
         objectCount++;
      }
      double Volume() {
         return length * breadth * height;
      }
      static int getCount() {
         return objectCount;
      }
      
   private:
      double length;     
      double breadth;    
      double height;     
};

int Box::objectCount = 0;

int main(void) {
   Box Box1(3.3, 1.2, 1.5);    
   return 0;
}

Some compilers do different things, but MSVC will compile the above code and store the static variables of your class inside .data segment of the PE32 Binary, you can see how is being referenced and we can confirm where is getting stored

IDA Dissasembly

.data segment

You'll need to search the cross-references in the compiled version of your code in order to get the Relative Address where the variable is allocated when it gets initialized. I'm not aware that this can be done easily just with WinDbg, therefor by looking the very first code offset that references to your static variable you'll get the RVA of your variable and then you can setup a data access breakpoint there.