我正在调试没有源代码的应用程序,我使用 IDA PRO + Windbg 作为调试器。我正在尝试使用特定句柄值捕获对 CloseHandle 的调用,例如 handle=0x14
我像这样放置一个条件断点:
bp kernel32!CloseHandle "j (poi(@esp+4)=0x00000014) ''; 'gc'"
断点设置正常,但它在每次调用 CloseHandle 时中断,与我正在尝试的相反,仅当第一个参数等于 0x14 时中断p>
最佳答案
您缺少一个 = 条件等于运算符需要 两个 == 而不是 单个 =
0:000> bp kernel32!CloseHandle ".if(poi(@esp+4)!=0xcc) {? dwo(@esp+4);gc}.else{? dwo(@esp+4);.echo our handle;gc}"
0:000> g
Evaluate expression: 60 = 0000003c
Evaluate expression: 56 = 00000038
Evaluate expression: 204 = 000000cc <------
our handle <-------------
Evaluate expression: 200 = 000000c8
Evaluate expression: 256 = 00000100
Evaluate expression: 272 = 00000110
Evaluate expression: 280 = 00000118
Evaluate expression: 308 = 00000134
Evaluate expression: 312 = 00000138
Evaluate expression: 308 = 00000134
Evaluate expression: 324 = 00000144
Evaluate expression: 328 = 00000148
Evaluate expression: 324 = 00000144
关于debugging - Windbg 条件断点忽略条件本身,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46448878/