在断点上打log, 然后继续执行.
bp 10843770 "dd @esp+4 L 4; g"
设置条件断点
bp 10843770 ".if (poi(@esp+4)=0x00110214) {} .else {gc}"
bp 10843770 ".if (poi(@esp+4)=0x10204) {.if (poi(@esp+8)=0x7) {} .else {gc} } .else {gc}"
从内核一直调试到用户
http://www.codeproject.com/Articles/7913/Debug-Tutorial-Part-6-Navigating-The-Kernel-Debugg
During kernel-mode debugging, you can set the process context by using the
.process (Set Process Context) command. Use this command to select which
processs page directory is used to interpret virtual addresses. After you set
the process context, you can use this context in any command that takes
addresses. You can even set breakpoints at this address. By including a /i
option in the .process command to specify invasive debugging, you can also use
the kernel debugger to set breakpoints in user space.
You can also set
user-mode breakpoints from the kernel debugger by using a process-specific
breakpoint on a kernel-space function. Set strategic breakpoints and wait for
the appropriate context to come up.
With WinDBG, another thing you can
do is use !bpid to have the kernel debugger break into the context of the
process you e interested in and then you can set your breakpoints in the
user-mode code (after running .reload to reload your symbols).
For
example, setting a breakpoint in CreateFileW in a process:
0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
....
PROCESS 861c9d90 SessionId: 1 Cid: 0f10 Peb: 7ffd3000 ParentCid: 0b48
DirBase: 0174e2a0 ObjectTable: 96f14eb0 HandleCount: 5.
Image: testapp.exe
1: kd> .process /r /p 861c9d90
Implicit process is now 861c9d90
..cache forcedecodeuser done
Loading User Symbols