0

I need to set breakpoint in debugger windbg when address in register points to memory block with some pattern and that pattern is not fixed to offset something like

bp ws2_32!sendto "j s @rdx @rdx+100 53 65 6e 64 g"

how to write this condition properly? so i need to break on sendto only when in range of address inside rdx and rdx+100 there is this pattern 53 65 6e 64

bp ws2_32!sendto ".if(s @rdx @rdx+100 53 65 6e 64) == 0 { g }" error too
andrey2003
  • 3
  • 1

1 Answers1

0

The problem is that s does not make up a valid condition. It either prints a result or not.

Preparation for the demonstration

2:007> .dvalloc 1000
Allocated 1000 bytes starting at 003b0000

2:007> eb 003b0000 53 65 6e 64

2:007> db 003b0000 L10
003b0000  53 65 6e 64 00 00 00 00-00 00 00 00 00 00 00 00  Send............

A test using s

2:007> s-a 003b0000 L100 "Send"
003b0000  53 65 6e 64 00 00 00 00-00 00 00 00 00 00 00 00  Send............

2:007> s-a 003b0000 L100 "Test"

You can use .foreach on the output of s. It will run the command for every word in the output, which is too much:

2:007> .foreach (output {s-a 003b0000 L100 "Send"}) { .echo "found" }
found
found
found
found
[...]

So let's use the fact that s has a special option for outputting just the address

2:007> .foreach (output {s-[1]a 003b0000 L100 "Send"}) { .echo "found" }
found

I can't repro with your breakpoint at the moment, but it should look like

bp ws2_32!sendto ".foreach (output {s-[1]a @rdx L100 "Send"}) { g }"

This should also work when searching for bytes instead of ASCII string and with a register instead of an address

2:007> r eax = 003b0000

2:007> .foreach (output {s-[1]b @eax L100 53 65 6e 64}) { .echo "found" }
found
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • thanks i have also question, this foreach works but for some reason condition breakpoint always triggers even with no pattern, `bp ws2_32!sendto ".foreach /ps 100 (output {s-b @rdx L100 07 00 00 } ) { .echo 'hit'; g }"` it looks if bp doesnt wait for foreach to complete and always gets TRUE i tried workaround like this `bp ws2_32!sendto ".foreach /ps 100 (output {s-b @rdx L100 07 00 00 } ) { .break }; g"` but instead it always misses breakpoint and foreach function not getting executed because of 'g' – andrey2003 Feb 27 '21 at 19:24
  • @andrey2003: yes, the observation is correct: the breakpoint does not have a condition, so it always triggers, meaning that it will always search memory and always loop over the results and continue when something was found. And you want the opposite... damn! – Thomas Weller Feb 27 '21 at 21:03
  • Feel free to unaccept the answer for the moment – Thomas Weller Feb 27 '21 at 21:14
  • I guess you need a freaky combination of `$spat()` and aliases as desribed here: https://stackoverflow.com/a/46434142/480982 – Thomas Weller Feb 27 '21 at 21:20
  • I got this idea i come up with this https://pastebin.com/btfCcPnu But how to combine aliasing and bp? something like this: https://pastebin.com/spUCMNUF – andrey2003 Feb 27 '21 at 23:07
  • i get no "BREAK?" or "FAILED?" so last part with if and spatt not getting executed and seems it is treated as part of alias from documentation of aS with /c option i see `CommandString Specifies the commands whose outputs become the alias equivalent. This string can include any number of commands that are separated by semicolons.` how can i put this in bp statement? – andrey2003 Feb 27 '21 at 23:08
  • I managed do it using file so i created file `c:\dbg\scripting\bp_pattern1.txt` after i set breakpoint like this `bp ws2_32!sendto "$$ – andrey2003 Feb 27 '21 at 23:40