From the archives: Windbg conditional breakpoints with string comparisons

<p>From the archives of my old blog. These days there are probably better ways of doing this, such as using windbg&rsquo;s Javascript extensions, TTD or other instrumentation tools. Enjoy.</p> <p>Actually, it&rsquo;s more a note to self rather, just thought I&rsquo;d might as well leave the note here. Recently, I&rsquo;ve had to reverse engineer a program and I wanted to break at the point where the program calls&nbsp;<code>CreateFileW</code>&nbsp;with a path to a certain file. What I&rsquo;d normally do would be to set a breakpoint on&nbsp;<code>CreateFileW</code>&nbsp;and print the path argument every time that breakpoint is hit. For example:</p> <pre> bp Kernel32!CreateFileW &quot;.printf \&quot;%mu\\n\&quot;, poi(esp+4);&quot;</pre> <p>However, this particular program calls&nbsp;<code>CreateFileW</code>&nbsp;multiple times in the course of its execution and it was time consuming to have to do this manually, so I searched for a solution to this problem. Windbg help shows several string comparison functions, such as&nbsp;<code>$scmp</code>,&nbsp;<code>$sicmp</code>,&nbsp;<code>$spat</code>, however they all take in strings as their arguments and not memory pointer to strings &mdash; something like&nbsp;<code>$spat(&lsquo;hello world&rsquo;, &lsquo;hello*&rsquo;)</code>&nbsp;would work but not&nbsp;<code>$spat(&lsquo;hello world&rsquo;, poi(esp+4))</code>.</p> <p><a href="https://upsidedwn.medium.com/from-the-archives-windbg-conditional-breakpoints-with-string-comparisons-e3f92d2b3377"><strong>Read More</strong></a></p>