tags:

views:

384

answers:

2
+1  Q: 

x86: Possible to debug-break when a particular pointer-to-string is pushed on the stack?

Hi,

I am debugging a third-party DLL for which I don't have the source code. This DLL maintains a pool of strings. I want to trap the earliest occurrence at which one of these strings is passed into a function...any function at all...

In other words, I want to detect when a pointer-to-a-null-terminated-string having a certain format is pushed onto the stack...by anybody, and I want to execute a Debug Break when that occurs.

I know you can set a "break-on-access" breakpoint which will trigger when the CPU reads/writes/executes a particular address. What I want is similar to this: for each string pushed onto the stack, I want to test it against a certain format, and if it matches, execute the break.

Using WinDbg, OllyDb, VS2008, whatever..any ideas?

Thanks!

+2  A: 

With WinDBG, check out this article

Cory Foy  2008-12-19 12:09:51
+3  A: 

I'd say that this is impossible with your requirements:

I want to detect when a pointer-to-a-null-terminated-string having a certain format

As the previous answer said you'll be able to match your string to anything once your breakpoints hits

I want to trap the earliest occurrence at which one of these strings is passed into a function...any function at all... What I want is similar to this: for each string pushed onto the stack, I want to test it against a certain format, and if it matches, execute the break.

So what you want is need is to detect when any function is called with a specific pointer parameter on the stack - this is the "impossible" part. In theory there are multiple ways to do this but they are to slow and to complicated... And what if the function gets a pointer to a pointer that has the value you're tracking, or an array that contains that pointer...

What is it you're trying to achieve? Why would you need the place the string is first passed into a function? The use of the string is what is most often important and as you know you can break on that with a simple memory access breakpoint (if the string is ever copied add another breakpoint).

I'd recommend you taking another approach, use a disassembler and do some more static analysis with a bit of debugging to get to what you need...

Hrvoje Prgeša  2008-12-19 14:12:54

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)