Breakpoints 200

  • Article

Before I got distracted with cred roaming and new netlogon goodness… we were talking about breakpoints.

We discussed basic commands and then saw some uses for the command string parameter.

[ ~ Thread] bp[ID] [Options] [Address [Passes]] [ " CommandString" ]

Some other things you can do is get creative with enabling and disabling of breakpoints.

Say you want to set a BP on a very common call like – advapi32!CommonCall but you don’t want to hit all of the instances.

You can set a BP on the caller mycode!caller and then use this BP to enable the next one for advapi32!CommonCall

 

Lets say that your ‘common call’ is USER32!DialogBox2.

0:000> KL

ChildEBP RetAddr

001ff638 7689b5bc ntdll!KiFastSystemCallRet

001ff63c 76891598 USER32!NtUserWaitMessage+0xc

001ff670 76891460 USER32!DialogBox2+0x202

001ff698 768914a2 USER32!InternalDialogBox+0xd0

001ff6b8 768b12de USER32!DialogBoxIndirectParamAorW+0x37

001ff6dc 77001832 USER32!DialogBoxParamW+0x3f

001ff700 7711a0e5 SHELL32!SHFusionDialogBoxParam+0x32

001ff734 0057441c SHELL32!ShellAboutW+0x40

001ff7b8 00571576 notepad!NPCommand+0x718

001ff7dc 768a1a10 notepad!NPWndProc+0x4cf

001ff808 768a1ae8 USER32!InternalCallWinProc+0x23

001ff880 768a2a47 USER32!UserCallWinProcCheckWow+0x14b

001ff8e4 768a2a98 USER32!DispatchMessageWorker+0x322

001ff8f4 005714e9 USER32!DispatchMessageW+0xf

001ff928 00571971 notepad!WinMain+0xe3

001ff9b8 76b63833 notepad!__mainCRTStartup+0x140

001ff9c4 77b1a9bd kernel32!BaseThreadInitThunk+0xe

001ffa04 00000000 ntdll!_RtlUserThreadStart+0x23

Set your breakpoints.

0:000> bp USER32!DialogBox2

0:000> bp USER32!DialogBoxParamW

Note that the 2 are enabled and have an identification of 0 and 1

0:000> bl

 0 e 76891244 0001 (0001) 0:**** USER32!DialogBox2

 1 e 768b129f 0001 (0001) 0:**** USER32!DialogBoxParamW

Now – we don’t want to hit BP0 all the time – lets say that its called from 20 other places, so go ahead and disable it.

0:000> bd 0

0:000> bl

 0 d 76891244 0001 (0001) 0:**** USER32!DialogBox2

 1 e 768b129f 0001 (0001) 0:**** USER32!DialogBoxParamW

Now we set up the BP1 to enable the BP0 when it hits, and then ‘go’

0:000> bp 768b129f "be 0;g"

breakpoint 1 redefined

0:000> bl

 0 d 76891244 0001 (0001) 0:**** USER32!DialogBox2

 1 e 768b129f 0001 (0001) 0:**** USER32!DialogBoxParamW "be 0;g"

Note that the BP0 is disabled… Now go and see what happens

0:000> g

Breakpoint 0 hit

eax=00520576 ebx=00000000 ecx=00520576 edx=01920570 esi=00000001 edi=00630ccc

eip=76891244 esp=001ff674 ebp=001ff698 iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

USER32!DialogBox2:

76891244 8bff mov edi,edi

0:000> bl

 0 e 76891244 0001 (0001) 0:**** USER32!DialogBox2

 1 e 768b129f 0001 (0001) 0:**** USER32!DialogBoxParamW "be 0;g"

When we hit BP1, it enables the BP0 and then goes… we then breakin on BP0 in a more specific manner.

spatdsg