From the archives: Windbg conditional breakpoints with string comparisons
<p>From the archives of my old blog. These days there are probably better ways of doing this, such as using windbg’s Javascript extensions, TTD or other instrumentation tools. Enjoy.</p>
<p>Actually, it’s more a note to self rather, just thought I’d might as well leave the note here. Recently, I’ve had to reverse engineer a program and I wanted to break at the point where the program calls <code>CreateFileW</code> with a path to a certain file. What I’d normally do would be to set a breakpoint on <code>CreateFileW</code> and print the path argument every time that breakpoint is hit. For example:</p>
<pre>
bp Kernel32!CreateFileW ".printf \"%mu\\n\", poi(esp+4);"</pre>
<p>However, this particular program calls <code>CreateFileW</code> multiple times in the course of its execution and it was time consuming to have to do this manually, so I searched for a solution to this problem. Windbg help shows several string comparison functions, such as <code>$scmp</code>, <code>$sicmp</code>, <code>$spat</code>, however they all take in strings as their arguments and not memory pointer to strings — something like <code>$spat(‘hello world’, ‘hello*’)</code> would work but not <code>$spat(‘hello world’, poi(esp+4))</code>.</p>
<p><a href="https://upsidedwn.medium.com/from-the-archives-windbg-conditional-breakpoints-with-string-comparisons-e3f92d2b3377"><strong>Read More</strong></a></p>