A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #15244  by fire_the_hole
 Sat Aug 18, 2012 3:38 am
We can set unresolved breakpoint by command "bu".
eg:
bu mydriver!DriverEntry
when mydriver.sys is loaded and ready to run in DriverEntry.It will break in to debugger.
What's the Principle?
if i know the principle.i can get a pe file's entry function.(eg:DriverEntry) and set a driverentry breakpoint without symbol.

of couse i can set breakpoint at ioploaddriver+0xxxx to stop the driver.but let's just talk about the "bu"'s mechanism.Ok? :mrgreen:
 #15270  by fire_the_hole
 Tue Aug 21, 2012 5:07 am
xdeadcode wrote:Hi fire_the_hole,

Please read this very carefully: http://msdn.microsoft.com/en-us/library ... s.85).aspx
Then try to do follwing test: Build a driver w/o any pdb informations. Then in windbg set bu MODULE!DriverEntry and check if you can break in ;)



Best regards,
thank you for help.But it seem you don't know what i am talking about.
 #15286  by xdeadcode
 Tue Aug 21, 2012 8:41 pm
Hello fire_the_hole.

I thought you asked about how windbg realizes 'bu'.
Can you explain a little bit what is point of your question?

Best regards,
 #15291  by fire_the_hole
 Wed Aug 22, 2012 1:05 am
xdeadcode wrote:Hello fire_the_hole.

I thought you asked about how windbg realizes 'bu'.
Can you explain a little bit what is point of your question?

Best regards,
Yes I'm asking about how windbg relizes "bu".
does it set a timer.and search for the unresolved symbol ?
 #15312  by xdeadcode
 Wed Aug 22, 2012 9:18 pm
Hi fire_the_hole,

It doesn't need a timer. WinDbg when realizes 'bu' using symbols(pdb) and since 'bu' is connected with symbol (not an address) when any module is loaded it check for given symbol in loaded module. Of course Windbg does much more like in case of C++ it converts decorated cpp symbols to undecorated one and then tries to match pattern and so on.. and this makes bu so heavy command (looks for given symbol in every module after undecoration .. so much stuff happens there).

This is why I asked you to make a test I proposed (If you compile any module w/o symbols, e.g. by forcing it with "LINKER_FORCE_NO_DBG_SECTION" - 'bu' will not give you result) - just to give you point why 'simulating' bu without symbols will be useless.

I don't know if it is clear what I'm saying here,
Anyway If you will do this.. I would like to see it :)

good luck
 #15325  by SomeUnusedName
 Thu Aug 23, 2012 1:07 pm
And to quote xdeadcode's first link, third sentence:
Every time that a new application is loaded, it is checked for this routine name. If this routine appears, the debugger computes the actual coded address of the virtual breakpoint and enables the breakpoint.
Which would've answered your question as well ;)