New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional breakpoint: compare strings #2067

Open
Johnyy45 opened this Issue Nov 4, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@Johnyy45

Johnyy45 commented Nov 4, 2018

Hello, and good day.

Olly DBG have a conditional breakpoint with compare strings, like
[UNICODE [ESP + 4]]=="test.txt"

(for CreateFileW api function - check for first argument name)

I couldn't find same opportunity in dbgx64 (32)
1

How I can check UNICOD (ANSI) strings in breakpoint?
Thank you!

@mrexodia

This comment has been minimized.

Member

mrexodia commented Nov 4, 2018

Currently there is no support for this. #2043 is an attempt to add this, but I'm not sure this is the best solution...

@mrexodia mrexodia added the feature label Nov 4, 2018

@Johnyy45

This comment has been minimized.

Johnyy45 commented Nov 5, 2018

Ok, thank you.

@Johnyy45 Johnyy45 closed this Nov 5, 2018

@Johnyy45 Johnyy45 reopened this Nov 5, 2018

@Johnyy45

This comment has been minimized.

Johnyy45 commented Nov 5, 2018

And lets continue...

I make breakpoint to ZwOpenKeyEx:
without conditions, but with Log Expression, print unicode string from ObjectAttributes pointer

NTSYSAPI NTSTATUS ZwOpenKeyEx(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG OpenOptions
);


:
OpenKeyEx {p:[[[ESP+C]+8]+4]} {s:[[[ESP+C]+8]+4]}
In some case it is ok (green line), and some case print "???". It is bug? Dbgx64 couldn't read (update) debugged process memory?
Address is valid (I checked manually
2
).

@mrexodia

This comment has been minimized.

Member

mrexodia commented Nov 5, 2018

You can try something like this: https://github.com/torusrxxx/EasyDump

@Johnyy45

This comment has been minimized.

Johnyy45 commented Nov 5, 2018

Thanks, but it is not good solution, because I would like to use pointer to unicode ([[[ESP+C]+8]+4]) with strmatch plugin in breakpoint condition.
But if dbg cant access to memory, strmatch compare function will be fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment