我正在调试没有源的应用程序,我使用IDA PRO + Windbg作为调试器。我想用特定的句柄值来捕获CloseHandle的调用,例如handle = 0x14
我放了一个像这样的条件断点:
bp kernel32!CloseHandle "j (poi(@esp+4)=0x00000014) ''; 'gc'"
断点设置正常,但每次调用CloseHandle都会中断,与我正在尝试的相反,只有在第一个参数等于0x14时才会中断
答案 0 :(得分:5)
您缺少 = 条件等于运营商需要两个== 而不是单个=
0:000> bp kernel32!CloseHandle ".if(poi(@esp+4)!=0xcc) {? dwo(@esp+4);gc}.else{? dwo(@esp+4);.echo our handle;gc}"
0:000> g
Evaluate expression: 60 = 0000003c
Evaluate expression: 56 = 00000038
Evaluate expression: 204 = 000000cc <------
our handle <-------------
Evaluate expression: 200 = 000000c8
Evaluate expression: 256 = 00000100
Evaluate expression: 272 = 00000110
Evaluate expression: 280 = 00000118
Evaluate expression: 308 = 00000134
Evaluate expression: 312 = 00000138
Evaluate expression: 308 = 00000134
Evaluate expression: 324 = 00000144
Evaluate expression: 328 = 00000148
Evaluate expression: 324 = 00000144