When WinDBG attach to a process, the EIP will point at ntdll!DbgBreakPoint in a dedicated thread different to the main process threads.
Is it possible to get the EIP value right before the attach operation? If possible, how to get the EIP value right before the attachment happened?
There can be arbitrary number of threads running in a process at any given time
you require the eip of which thread or rather could you explain what you are after because as posted your query doesnt semm to be logical.
If you want to know where each of the thread is when you broke on attach
Find the number of threads running in the process with
~*
thats a tilde and asterisk it will list all the threads that are running at the time when windbg broke
now use the number as a variable in a .for loop to print out the eip and ebp+4 (return address on stack)
script
0:019> .for (r $t0 = 0; @$t0 < 19; r $t0 = @$t0+1 ) { ~[@$t0]s; .printf "%p\t%y\t%y\n",@eip,@eip,poi(@ebp+4); }
result (attached to a blank ieexplorer)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) USER32!RealMsgWaitForMultipleObjectsEx+0x13e (7e4195f9)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) ADVAPI32!WmipEventPump+0x230 (77df8631)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) RPCRT4!RecvLotsaCallsWrapper+0xd (77e76caf)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!WaitForMultipleObjects+0x18 (7c80a115)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) USER32!RealMsgWaitForMultipleObjectsEx+0x13e (7e4195f9)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!WaitForMultipleObjects+0x18 (7c80a115)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) USER32!RealMsgWaitForMultipleObjectsEx+0x13e (7e4195f9)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) RPCRT4!RecvLotsaCallsWrapper+0xd (77e76caf)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!Sleep+0xf (7c802455)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) ole32!CRpcThread::WorkerLoop+0x5c (774fe419)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) ole32!CRpcThread::WorkerLoop+0x5c (774fe419)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) RPCRT4!RecvLotsaCallsWrapper+0xd (77e76caf)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) RPCRT4!RecvLotsaCallsWrapper+0xd (77e76caf)
7c90e514 ntdll!KiFastSystemCallRet (7c90e514) KERNEL32!BaseThreadStart+0x37 (7c80b729)
7c90120e ntdll!DbgBreakPoint (7c90120e) 00000000
