Breakpoints 200


Before I got distracted with cred roaming and new netlogon goodness… we were talking about breakpoints.


 


We discussed basic commands and then saw some uses for the command string parameter.


 


[~Threadbp[ID] [Options] [Address [Passes]] [CommandString


 


Some other things you can do is get creative with enabling and disabling of breakpoints.


 


Say you want to set a BP on a very common call like – advapi32!CommonCall but you don’t want to hit all of the instances.


 


You can set a BP on the caller  mycode!caller and then use this BP to enable the next one for advapi32!CommonCall


 


Lets say that your ‘common call’ is USER32!DialogBox2.


 


 


0:000> KL


ChildEBP RetAddr 


001ff638 7689b5bc ntdll!KiFastSystemCallRet


001ff63c 76891598 USER32!NtUserWaitMessage+0xc


001ff670 76891460 USER32!DialogBox2+0x202


001ff698 768914a2 USER32!InternalDialogBox+0xd0


001ff6b8 768b12de USER32!DialogBoxIndirectParamAorW+0x37


001ff6dc 77001832 USER32!DialogBoxParamW+0x3f


001ff700 7711a0e5 SHELL32!SHFusionDialogBoxParam+0x32


001ff734 0057441c SHELL32!ShellAboutW+0x40


001ff7b8 00571576 notepad!NPCommand+0x718


001ff7dc 768a1a10 notepad!NPWndProc+0x4cf


001ff808 768a1ae8 USER32!InternalCallWinProc+0x23


001ff880 768a2a47 USER32!UserCallWinProcCheckWow+0x14b


001ff8e4 768a2a98 USER32!DispatchMessageWorker+0x322


001ff8f4 005714e9 USER32!DispatchMessageW+0xf


001ff928 00571971 notepad!WinMain+0xe3


001ff9b8 76b63833 notepad!__mainCRTStartup+0x140


001ff9c4 77b1a9bd kernel32!BaseThreadInitThunk+0xe


001ffa04 00000000 ntdll!_RtlUserThreadStart+0x23


 


 


Set your breakpoints.


 


0:000> bp USER32!DialogBox2


0:000> bp USER32!DialogBoxParamW


 


Note that the 2 are enabled and have an identification of 0 and 1


 


0:000> bl


 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2


 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW


 


 


Now – we don’t want to hit BP0 all the time – lets say that its called from 20 other places, so go ahead and disable it.


 


0:000> bd 0


0:000> bl


 


 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2


 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW


 


 


Now we set up the BP1 to enable the BP0 when it hits, and then ‘go’


 


0:000> bp 768b129f      “be 0;g”


breakpoint 1 redefined


 


0:000> bl


 0 d 76891244     0001 (0001)  0:**** USER32!DialogBox2


 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW “be 0;g”


 


 


Note that the BP0 is disabled… Now go and see  what happens


 


 


0:000> g


Breakpoint 0 hit


eax=00520576 ebx=00000000 ecx=00520576 edx=01920570 esi=00000001 edi=00630ccc


eip=76891244 esp=001ff674 ebp=001ff698 iopl=0         nv up ei pl nz na po nc


cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202


USER32!DialogBox2:


76891244 8bff            mov     edi,edi


 


0:000> bl


 0 e 76891244     0001 (0001)  0:**** USER32!DialogBox2


 1 e 768b129f     0001 (0001)  0:**** USER32!DialogBoxParamW “be 0;g”


 


 


When we hit BP1, it enables the BP0 and then goes… we then breakin on BP0  in a more specific manner.


 


 spatdsg


 


 

Comments (0)