1

I'm trying to set a conditional hardware breakpoint on Windows Kernel-Mode in Windbg by using the following syntax :

ba w1 ffff802312345678 "j(@rip==ffff802387654321 || @rip==ffff802387654330) 'gc';''"

I used the above command in order to ignore every access to my target location (ffff802312345678) from ffff802387654321 or ffff802387654330, so everytime access from somewhere else is taken, then I would be notified.

But the problem is, it still breaks on ffff802387654321 or ffff802387654330 among the other locations.

I also read it's official documents about "Conditional Breakpoints and Register Sign Extension" and also test something like this:

ba w1 ffff802312345678 "j((@rip & 0xffffffffffffffff)=ffff802387654321 || (@rip & 0xffffffffffffffff)=ffff802387654330) 'gc';''"

But it still won't work.

So my question is:

  • What's wrong with the above command and how can I achieve the desired result ?
Migo Lopak
  • 29
  • 6

1 Answers1

1

There is no || MASM operator. It's or.

Use

ba w1 ffff802312345678 "j(@rip==ffff802387654321 or @rip==ffff802387654330) 'gc';''"

I have not reproduced your exact case, but a simpler example:

0:000> r rip
rip=0000000076db6fb0
0:000> j (@rip==0000000076db6fb0 || @rip==0) '.echo 5';'.echo 6"
Numeric expression missing from '| @rip==0) '.echo 5';'.echo 6"'
0:000> j (@rip==0000000076db6fb0 or @rip==0) '.echo 5';'.echo 6"
5
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • As a side note, it is possible to use `||` by using the `@c++`operator: `j (@@c++(@rip==0000000076db6fb0 || @rip==0)) '.echo 5';'.echo 6"` or switching altogether to the c++ evaluator with `.expr /s c++`. – Neitsa Jul 11 '18 at 12:25
  • @Neitsa: I tried that @@c++ but it didn't work. Does it work for you? – Thomas Weller Jul 11 '18 at 20:54
  • @Neitsa: `.expr /s c++` does not work either. In both cases it says "Could not resolve error at ..." – Thomas Weller Jul 11 '18 at 20:56
  • Strange :( Here's an [session example](https://gist.github.com/neitsa/8fb0f02ae084cf3012f4923763b18ebb) ; My Windbg version is `10.0.16299.15` (**not** the windbg preview). – Neitsa Jul 12 '18 at 14:13