Alternately the expression could use the .if.elsif.else construct like below –

bp 0x12345678 ".if (@@(pusFullPath->Length) != 0xba)
                   {gc;}
               .elsif (@@(pusFullPath->MaximumLength) != 0xbc)
                   {gc;}
               .else {.echo match}"

There are several things to be mindful about when setting up conditional breakpoints

  • successful bp/bu command does not mean that the conditional expression will not fall apart later. It is only when the breakpoint successfully hits the correct condition while skipping others, one can be sure that it was setup right.
  • be careful about breakpoint overhead. if the expressions/commands take long to evaluate,  it may slow down your operations drastically or bring the machine to a grinding halt.
  • be aware of the two expression types (.expr /q reports expression types). MASM is the default expression type but you can change the default by using .expr /s command. C++ expressions can have things like && (logical AND) whereas MASM expressions cannot. MASM does not have logical AND or logical OR operators.
  • avoid long expressions – WinDbg may fail silently or behave unpredictably. 4

When it comes to getting the expressions right the first time, I frequently have to type and retype between trips to documentation pages before anything works. So keeping some of these templates around saves me a bunch of time that would otherwise be spent on expressional experimentation.

1which in most cases remains constant unless the file is getting renamed

2which is  obviously and intentionally a bad kernel mode address

3Note that I did not use @@c++ for the c++ expression to work. @@ lets your expression evaluation to switch to c++ for the sub-expression and switches back to masm expression evaluation right after.

4On WinDbg build 6.11.1.404, having more than 8 .elsif‘s started giving unreliable results such as commands in .else clause not executing in some runs and executing in some others. On the other hand a breakpoint with 600+ characters expression consistently failed to execute commands in .else clause.

Share →

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.