When tracking down a very specific issue in a driver (which typically means very low signal to noise ratio) conditional breakpoints in WinDbg tend to the the first thing to use before resorting to modifying driver source with additional tracing code and rebuilding driver.
For example, one of the frequent challenges for file system filter drivers is to track down operations on a specific file. What I resort to in that case is to latch onto the file path length1 largely because string comparisions would take longer than comparing length. Consequently the conditional breakpoint template that I use is along the lines of the following –
bp 0x12345678 ".if (@@(pusFullPath->Length) == 0xba){ .echo match }.else { gc }"
This assumes you are setting up a breakpoint at address 0x123456782, and have a local PUNICODE_STRING variable pusFullPath which contains the file full path, and code should break only if the path length is oxba.3
Now some of you might be wondering why I don’t use j command (which is reminiscent of C ternary ? operator syntax). One of my main issues with j command is what I call single-quote double-quote dilemma. When setting up a conditional breakpoint one needs to put double quotes around the entire j command (which you have to do for .if command as well) and put single quotes around commands in the if/else block. I seem to have a developed a knack for getting it wrong all the time. Here is how the above breakpoint would look with j command –
bp 0x12345678 "j (@@(pusFullPath->Length) == 0xba)
'.echo match'; 'gc'"What if you were to break if two conditions are satisfied ? Here is how that might look like –
bp 0x12345678 "j (@@(((pusFullPath->Length) == 0xba)&&
((pusFullPath->MaximumLength) == 0xbc))) '.echo match'; 'gc'"One can use .if within another .if. Here is how this breakpoint might look like using that idea-
bp 0x12345678 ".if (@@(pusFullPath->Length) == 0xba) {
.if (@@(pusFullPath->MaximumLength) == 0xbc) {
.echo match;}
.else{gc;}
}
.else {gc}"- 1 2
