Comments for Common WinDbg Commands (Thematically Grouped) at http://windbg.info , comment 1 to 5 out of 5 comments http://windbg.info Thu, 11 Mar 2010 20:57:54 +0100 FeedCreator 1.7.3 http://windbg.info/doc/1-common-cmds.html#comment-9 Hi, Let's say that the driver I want to debug doesn't have symbols, so I can't use DriverEntry. !lmi 77fba431 (same problem: address not found (so name is interpreted as hex)) Also, the problem is that I would like to set a breakpoint before the driver is loaded. So I would need something like "bu driver+rva_ep". Your method to retrieve base_address and the set a "bp" means that driver needs to be already loaded, right? so why would I set a bp on entry point then... The only method that works that I've found so far, is "bp" on a driver with symbols, walking up the stack and find the address of driver loading function, just before it's calling drivers' EP, and breakpoint there. The problem is that this method will break on every driver that is going to be loaded... - kam Fri, 19 Feb 2010 21:36:31 +0100 http://windbg.info/doc/1-common-cmds.html#comment-8 Kam, hi. Let's assume that the entry point of your driver is called [b]DriverEntry[/b]. In this case setting a breakpoint is simple: > [b]bp 77fba431!DriverEntry[/b] And if you prefer to work with offsets you can easily get the base address of your driver too: > [b]!lmi 77fba431[/b] OR > [b]lm vm 77fba431[/b] Both commands will return the base/start address of your driver in memory. Then you would do something like this: [b]> bp BaseAddress (retrieved in previous step) + rva_entrypoint[/b] I hope this helps, Robert - Robert Kuster Thu, 18 Feb 2010 18:02:56 +0100 http://windbg.info/doc/1-common-cmds.html#comment-7 Hi, This article is very nice, I'm a beginner to windbg and this is helping me a lot. Also, I have a question: Could you tell me please, how do I set a bp on a driver entrypoint if driver name is hex convertible? example: driver name is 77fba431.sys so, normally I would do something like "bp 77fba431+rva_entrypoint" (just like lets say "bp ntfs+rva") but of course 77fba431 is read as an address, so windbg will actually set a bp to address 77fba431+rva_entrypoint. So, how can I tell windbg that 77fba431 is actually a module name not an address ? Thank you! - kam Fri, 12 Feb 2010 18:28:34 +0100 http://windbg.info/doc/1-common-cmds.html#comment-4 Hey hey Adrian, Thanks for your feedback. I encountered similar problems with this breakpoint command. It turns out that here and then the aliases get messed up by WinDbg. You can easily check what is going on by the "[b]al[/b]" (alias list) or "[b]bl[/b]" (breakpoint list) commands. If you see some unusual values the following will help: a) "[b]ad *[/b]" == deletes all aliases b) [b]Reset the breakpoint in question[/b] I'll try to find a more stable version for this breakpoint command and publish it later this year with the next "WinDbg Commands" update. Kind Regards, RK - Robert Kuster Thu, 14 May 2009 03:05:21 +0100 http://windbg.info/doc/1-common-cmds.html#comment-3 First thank you for compiling this document , it is very good. I have a small problem though with pattern matching and conditional breakpoints. I have tried setting a conditional breakpoint on LoadLibraryExW like the examples in this document. The name of the dll I'm trying to match is protection_engine.dll , the pattern I use is *protect*. I've set the breakpoint like this: bu kernel32!LoadLibraryExW ";as /mu ${/v:MyAlias} poi(@esp+4); .if ( $spat( @\"${MyAlias}\", \"*protect*\" ) != 0 ) { .echo ok - dll loaded; kP; } .else { g }". However it only stops when it's loading comctl32.dll so there must be something wrong in the syntax. Do you have any ideas ? I've been staring at it for quite some time but I can't figure out where I'm doing wrong. - adrian hodos Tue, 12 May 2009 18:17:18 +0100