[fire_the_hole]

We can set unresolved breakpoint by command "bu".
eg:
bu mydriver!DriverEntry
when mydriver.sys is loaded and ready to run in DriverEntry.It will break in to debugger.
What's the Principle?
if i know the principle.i can get a pe file's entry function.(eg:DriverEntry) and set a driverentry breakpoint without symbol.

of couse i can set breakpoint at ioploaddriver+0xxxx to stop the driver.but let's just talk about the "bu"'s mechanism.Ok? :mrgreen:

[xdeadcode]

Hi fire_the_hole,

Please read this very carefully: http://msdn.microsoft.com/en-us/library ... s.85).aspx
Then try to do follwing test: Build a driver w/o any pdb informations. Then in windbg set bu MODULE!DriverEntry and check if you can break in ;)



Best regards,

[fire_the_hole]

Hi fire_the_hole,

Please read this very carefully: http://msdn.microsoft.com/en-us/library ... s.85).aspx
Then try to do follwing test: Build a driver w/o any pdb informations. Then in windbg set bu MODULE!DriverEntry and check if you can break in ;)



Best regards,

thank you for help.But it seem you don't know what i am talking about.

[xdeadcode]

Hello fire_the_hole.

I thought you asked about how windbg realizes 'bu'.
Can you explain a little bit what is point of your question?

Best regards,

[fire_the_hole]

Hello fire_the_hole.

I thought you asked about how windbg realizes 'bu'.
Can you explain a little bit what is point of your question?

Best regards,

Yes I'm asking about how windbg relizes "bu".
does it set a timer.and search for the unresolved symbol ?

[xdeadcode]

Hi fire_the_hole,

It doesn't need a timer. WinDbg when realizes 'bu' using symbols(pdb) and since 'bu' is connected with symbol (not an address) when any module is loaded it check for given symbol in loaded module. Of course Windbg does much more like in case of C++ it converts decorated cpp symbols to undecorated one and then tries to match pattern and so on.. and this makes bu so heavy command (looks for given symbol in every module after undecoration .. so much stuff happens there).

This is why I asked you to make a test I proposed (If you compile any module w/o symbols, e.g. by forcing it with "LINKER_FORCE_NO_DBG_SECTION" - 'bu' will not give you result) - just to give you point why 'simulating' bu without symbols will be useless.

I don't know if it is clear what I'm saying here,
Anyway If you will do this.. I would like to see it :)

good luck

[fire_the_hole]

Hi fire_the_hole,

It doesn't need a timer. WinDbg when realizes 'bu' using symbols(pdb)

thank you very much!

[SomeUnusedName]

And to quote xdeadcode's first link, third sentence:

Every time that a new application is loaded, it is checked for this routine name. If this routine appears, the debugger computes the actual coded address of the virtual breakpoint and enables the breakpoint.

Which would've answered your question as well ;)