how to set a memory breakpoint in windbg kernel mode?

0
votes

I would like to set a memory breakpoints on access in windbg in the kernel mode debugger

I want the debugger breaks everytime a specific module in usermode is hit with the kernel debugger.

but I've read somewhere its impossible to set it, in order to make a memory breakpoints I have to write a plugin to make it

I tried to use SDbgExt plugin with the !vprotect command, but it fails to set memory bp

If I have to write a plugin to allow memory bp in kernel mode It has to be a driver?

I've read some chapters in windows internals book, but it doesn't help me at all.

I couldn't find too much info how to start deal with it

3
debuggingmemoryreverse-engineeringwindbgbreakpoints
Welcome to SO, please be a bit more specific when asking question: what have you tried, what do you expect, etc. See how to askNehal

3 Answers

0
votes

You can set breakpoints on user mode addresses from kernel mode. The only thing you should take care is to switch to the right process with ".process /i " command

0
votes

If it is a one-off breakpoint -- that is, you are content with process being destroyed by debugging -- zero out the entire module using e command (edit memory). Set the whole thing to cc (which is int 3 as far as I remember)... zeros will do as well. You will break as soon as you touch any of the module's code.

Next step, remember where you were (relative to the module) and set a proper breakpoint.

Hope that helps.

(editing) Do you have full symbols? If you do, did you try bm module!*

0
votes

Sounds like you want to set a "breakpoint on access" but instead of specifying an address you want to specify a range? I have never seen it done in windbg. The BA breakpoints uses HW debug registers instead of inserting INTs like SW breakpoints so this is definitely HW platform specific. I have done this on an ARM chipset once using a HW debugger. ETM on ARM allows you to set triggers on address ranges.