3

I want to break the debugee as it opens a known file, using windbg. As $scmp doesn't accept direct address, I have to use as (windbg alias command). So, I put a conditional breakpoint at CreateFileA:

bu Kernel32!CreateFileA "as /ma ${/v:fName} poi(esp+4);.echo ${fName};...;g"

It always prints the same (first) file name. I also tried script files

bu ... "$>< bpCmd"
bu ... "$$>< bpCmd"

bpCmd content:

as /ma ${/v:fName} poi(esp+4);
.echo ${fName};
...
g;

It didn't work as well.

So, why as doesn't work in log breakpoints?

sealed...
  • 291
  • 1
  • 8

1 Answers1

3

The alias needs to be evaluated everytime the break point is hit
else it will print the old alias only
to force alias evaluation` enclose the .echo and other commands inside a .block{} 

crefil:\>dir /b
CreateFile.cpp    
crefil:\>type CreateFile.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
    PWIN32_FIND_DATA lpFindFileData = 
            (PWIN32_FIND_DATA) calloc(1 , sizeof( WIN32_FIND_DATA));
    FILE *fp;
    errno_t err;
    if (lpFindFileData)
    {
        HANDLE hFind = FindFirstFile("*.*",lpFindFileData);
        if ( hFind != INVALID_HANDLE_VALUE )
        {
            do
            {
                printf("%s\n",lpFindFileData->cFileName);
                if ( (err = fopen_s(&fp,lpFindFileData->cFileName,"rb") ) == 0 )

                    if (fp)
                        fclose(fp);
            }while( ( FindNextFile(hFind,lpFindFileData) ) != FALSE );
            FindClose(hFind);
            free(lpFindFileData);
        }
    }
    return 0;
}

as in windbg conditional breakpoint

crefil:>cdb -c "bp kernel32!CreateFileA \"as /ma ${/v:fname} poi(@esp+4);.block { .echo fname };gc\";g;q" CreateFile.exe

0:000> cdb: Reading initial command 'bp kernel32!CreateFileA "as /ma ${/v:fname}
 poi(@esp+4);.block { .echo fname };gc";g;q'
.
..
CreateFile.cpp
CreateFile.exe
CreateFile.obj
CreateFile.pdb
 vc100.pdb
quit:
blabb
  • 16,376
  • 1
  • 15
  • 30