Setting breakpoint on entry point with Windbg

You might wonder how to breakpoint on entry point in windbg. I didn’t know neither because I never tried it. I usually do kernel mode debugging so I didn’t need to bp on entry point. Here’s a little bit complicated method. But if you find any simpler way, just let me know.

First, start the application from windbg using File -> Open Executable(or ^E).
On the first breakpoint, execute the following commands.

0:000> !peb

PEB at 7ffd8000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 01000000

Ldr 001a1ea0

Ldr.Initialized: Yes

Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2920

Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2910

Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2918

Base TimeStamp Module

1000000 48025287 Apr 13 11:35:51 2008 c:\windows\notepad.exe

7c900000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\ntdll.dll

7c800000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\kernel32.dll

763b0000 4802a0c9 Apr 13 17:09:45 2008 C:\WINDOWS\system32\comdlg32.dll

77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:\WINDOWS\system32\ADVAPI32.dll

77e70000 4802a106 Apr 13 17:10:46 2008 C:\WINDOWS\system32\RPCRT4.dll

77fe0000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\Secur32.dll

773d0000 4802a094 Apr 13 17:08:52 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll

77c10000 4802a188 Apr 13 17:12:56 2008 C:\WINDOWS\system32\msvcrt.dll

77f10000 49006fbe Oct 23 05:36:14 2008 C:\WINDOWS\system32\GDI32.dll

7e410000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\USER32.dll

77f60000 45091361 Sep 14 01:31:29 2006 C:\WINDOWS\system32\SHLWAPI.dll

7c9c0000 48580a39 Jun 17 12:02:17 2008 C:\WINDOWS\system32\SHELL32.dll

73000000 4802a127 Apr 13 17:11:19 2008 C:\WINDOWS\system32\WINSPOOL.DRV

SubSystemData: 00000000

ProcessHeap: 000a0000

ProcessParameters: 00020000

WindowTitle: 'c:\windows\notepad.exe'

ImageFile: 'c:\windows\notepad.exe'

CommandLine: 'c:\windows\notepad.exe'

...

WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)

windir=C:\WINDOWS

_NT_SYMBOL_PATH=srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

0:000> !dh 01000000

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

14C machine (i386)

3 number of sections

48025287 time date stamp Sun Apr 13 11:35:51 2008

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

10F characteristics

Relocations stripped

Executable

Line numbers stripped

Symbols stripped

32 bit word machine

OPTIONAL HEADER VALUES

10B magic #

7.10 linker version

7800 size of code

A600 size of initialized data

0 size of uninitialized data

739D address of entry point

1000 base of code

----- new -----

01000000 image base

1000 section alignment

200 file alignment

2 subsystem (Windows GUI)

5.01 operating system version

5.01 image version

4.00 subsystem version

14000 size of image

400 size of headers

18700 checksum

00040000 size of stack reserve

00011000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

0 [ 0] address [size] of Export Directory

7604 [ C8] address [size] of Import Directory

B000 [ 8948] address [size] of Resource Directory

0 [ 0] address [size] of Exception Directory

0 [ 0] address [size] of Security Directory

0 [ 0] address [size] of Base Relocation Directory

1350 [ 1C] address [size] of Debug Directory

0 [ 0] address [size] of Description Directory

0 [ 0] address [size] of Special Directory

0 [ 0] address [size] of Thread Storage Directory

18A8 [ 40] address [size] of Load Configuration Directory

250 [ D0] address [size] of Bound Import Directory

1000 [ 348] address [size] of Import Address Table Directory

0 [ 0] address [size] of Delay Import Directory

0 [ 0] address [size] of COR20 Header Directory

0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1

.text name

7748 virtual size

1000 virtual address

7800 size of raw data

400 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

60000020 flags

Code

(no align specified)

Execute Read

Debug Directories(1)

Type Size Address Pointer

cv 24 18f0 cf0 Format: RSDS, guid, 1, notepad.pdb

SECTION HEADER #2

.data name

1BA8 virtual size

9000 virtual address

800 size of raw data

7C00 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

C0000040 flags

Initialized Data

(no align specified)

Read Write

SECTION HEADER #3

.rsrc name

8948 virtual size

B000 virtual address

8A00 size of raw data

8400 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

40000040 flags

Initialized Data

(no align specified)

Read Only

0:000> u 01000000+739D

notepad!WinMainCRTStartup:

0100739d 6a70 push 70h

0100739f 6898180001 push offset notepad!`string'+0x8 (01001898)

010073a4 e8bf010000 call notepad!_SEH_prolog (01007568)

010073a9 33db xor ebx,ebx

010073ab 53 push ebx

010073ac 8b3dcc100001 mov edi,dword ptr [notepad!_imp__GetModuleHandleA (010010cc)]

010073b2 ffd7 call edi

010073b4 6681384d5a cmp word ptr [eax],5A4Dh

0:000> bp 01000000+739D

0:000> g

ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll

ModLoad: 6f880000 6fa4a000 C:\WINDOWS\AppPatch\AcGenral.DLL

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll

ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll

ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll

ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll

ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL

ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll

ModLoad: 48000000 48022000 C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll

ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

Breakpoint 0 hit

eax=00000000 ebx=7ffd8000 ecx=0007ffb0 edx=7c90e4f4 esi=08f2f55c edi=7c911440

eip=0100739d esp=0007ffc4 ebp=0007fff0 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

notepad!WinMainCRTStartup:

0100739d 6a70 push 70h

About these ads

8 Responses to “Setting breakpoint on entry point with Windbg”

  1. Also, for the lazy:

    bp $exentry
    g
    ;-)

    That said, I like to use a similar version of what you have above except as a one-liner with poi() to de-reference the pointers because it works even in the crappy busted version of ntsd that XP shipped with.

  2. thanks for the tip ;)

  3. Why so sophisticated? Just use:

    bu @$exentry
    g

  4. Handmade Jewelry…

    [...]Setting breakpoint on entry point with Windbg « Reverse Engineering the World[...]…

  5. Ladies Bracelets…

    [...]Setting breakpoint on entry point with Windbg « Reverse Engineering the World[...]…

  6. Thanks a lot!! I searched this info for a long time.

  7. I’m extremely pleased to discover this website. I wanted to thank you for ones time due to this wonderful read!! I definitely enjoyed every bit of it and I have you saved to fav to see new things in your web site.

  8. Hello there, You have done an excellent job. I’ll definitely digg it and personally recommend to my friends.

    I am sure they will be benefited from this web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: