3

Following break point fails because of bad memory address in some situation and cause break in execution:

bp 0x12345678 ".printf \"PID: %d, unkVar: %d\\n\", ..., poi(poi(ecx+1c)+8)+c;g"

Is there any way to test memory address before dereferencing in Windbg?

perror
  • 19,083
  • 29
  • 87
  • 150
sealed...
  • 291
  • 1
  • 8

1 Answers1

3

testing memory address can be done with with 

.if ( poi(@R32) operator CONST ) { commands }

but i think the intent the question is not to break on memory access failure

if that is the case wrap your conditional command with a .catch {} ; command to execute on exception this will let the execution flow without breaking

a sample code 

#include <stdio.h>

int main (void)
{
    __asm
    {
        xor eax , eax
            increase:
            inc eax
            cmp eax , 0ffffffffh
            jne increase
    }
    printf("we reached here\n");
    __asm
    {
loopfever:
        jmp loopfever
    }
    return 0;
}

disassembly of main

0:001> uf 401000
image00400000+0x1000:
00401000 55              push    ebp
00401001 8bec            mov     ebp,esp
00401003 33c0            xor     eax,eax

image00400000+0x1005:
00401005 40              inc     eax
00401006 83f8ff          cmp     eax,0FFFFFFFFh
00401009 75fa            jne     image00400000+0x1005 (00401005)

image00400000+0x100b:
0040100b 6840814000      push    offset image00400000+0x8140 (00408140)
00401010 e809000000      call    image00400000+0x101e (0040101e)
00401015 83c404          add     esp,4

image00400000+0x1018:
00401018 ebfe            jmp     image00400000+0x1018 (00401018)

a conditinal break point on 401006 dereferencing eax (will throw exception on almost 3 gb of address space ) wrapped in a 

.catch {} ; gc

bp 

0:001> .bpcmds
bp0 0x00401006  " .catch { .printf \"%x\n\" , poi( @eax ) ; gc };  ? @eax ;gc ";

here is an output 

Memory access error at ') ; gc '
Evaluate expression: 65529 = 0000fff9
Memory access error at ') ; gc '
Evaluate expression: 65530 = 0000fffa
Memory access error at ') ; gc '
Evaluate expression: 65531 = 0000fffb
Memory access error at ') ; gc '
Evaluate expression: 65532 = 0000fffc
Memory access error at ') ; gc '
Evaluate expression: 65533 = 0000fffd
Memory access error at ') ; gc '
Evaluate expression: 65534 = 0000fffe
Memory access error at ') ; gc '
Evaluate expression: 65535 = 0000ffff
380039 44003800 440038 44004400 440044 4b004400 4b0044 3d004b00 3d004b 45003d00 45003d 3a004500 3a0045 5c003a00 5c003a 39005c00 39005c 38003900 380039 44003800 440038 44004400 
Environment starts at 0x10000 compare  

0:000> s -su 10000 10100
00010000  "98DDK=E:\98DDK"
0001001e  "=::=::\"
0001002e  "=C:=C:\Documents and Settings\Ad"

7c90120e cc              int     3
0:001> ~0s
eax=000100c4 ebx=7ffdf000 ecx=00000001 edx=0040c5f0 esi=00000000 edi=009af6ee
eip=00401006 esp=0013ff78 ebp=0013ff78 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000303
image00400000+0x1006:
00401006 83f8ff          cmp     eax,0FFFFFFFFh
blabb
  • 16,376
  • 1
  • 15
  • 30