x64dbg 条件断点相关文档

输入

字符格式

条件断点

Input

When using x64dbg you can often use various things as input.

Commands

Commands have the following format:

command arg1, arg2, argN

Variables

Variables optionally start with a $ and can only store one DWORD (QWORD on x64).

Registers

All registers (of all sizes) can be used as variables.

Remarks

• The variable names for most registers are the same as the names for them, except for the following registers:
• x87 Control Word Flag: The flags for this register is named like this: _x87CW_UM
• In addition to the registers in the architecture, x64dbg provides the following registers: CAX , CBX , CCX , CDX , CSP , CBP , CSI , CDI , CIP. These registers are mapped to 32-bit registers on 32-bit platform, and to 64-bit registers on 64-bit platform. For example, CIP is EIP on 32-bit platform, and is RIP on 64-bit platform. This feature is intended to support architecture-independent code.

Memory locations

You can read/write from/to a memory location by using one of the following expressions:

• [addr] read a DWORD/QWORD from addr.
• n:[addr] read n bytes from addr.
• seg:[addr] read a DWORD/QWORD from a segment at addr.
• byte:[addr] read a BYTE from addr.
• word:[addr] read a WORD from addr.
• dword:[addr] read a DWORD from addr.
• qword:[addr] read a QWORD from addr (x64 only).

Remarks

• n is the amount of bytes to read, this can be anything smaller than 4 on x32 and smaller than 8 on x64 when specified, otherwise there will be an error.
• seg can be gs, es, cs, fs, ds, ss. Only fs and gs have an effect.

Flags

Debug flags (interpreted as integer) can be used as input. Flags are prefixed with an _ followed by the flag name. Valid flags are: _cf, _pf, _af, _zf, _sf, _tf, _if, _df, _of, _rf, _vm, _ac, _vif, _vip and _id.

Numbers

All numbers are interpreted as hex by default! If you want to be sure, you can x or 0x as a prefix. Decimal numbers can be used by prefixing the number with a dot: .123=7B.

Expressions

See the expressions section for more information.

Labels/Symbols

User-defined labels and symbols are a valid expressions (they resolve to the address of said label/symbol).

Module Data

DLL exports

Type GetProcAddress and it will automatically be resolved to the actual address of the function. To explicitly define from which module to load the API, use: [module].dll:[api] or [module]:[api]. In a similar way you can resolve ordinals, try [module]:[ordinal]. Another macro allows you to get the loaded base of a module. When [module] is an empty string :GetProcAddress for example, the module that is currently selected in the CPU will be used.

Loaded module bases

If you want to access the loaded module base, you can write: [module]:0, [module]:base, [module]:imagebase or [module]:header.

RVA/File offset

If you want to access a module RVA you can either write [module]:0+[rva] or you can write [module]:$[rva]. If you want to convert a file offset to a VA you can use [module]:#[offset]. When [module] is an empty string :0 for example, the module that is currently selected in the CPU will be used.

Module entry points

To access a module entry point you can write [module]:entry, [module]:oep or [module]:ep. Notice that when there are exports with the names entry, oep or ep the address of these will be returned instead.

Remarks

Instead of the : delimiter you can also use a . If you need to query module information such as [module]:imagebase or [module]:entry you are advised to use a ? as delimiter instead: [module]?entry. The ? delimiter does checking for named exports later, so it will still work when there is an export called entry in the module.

Last words

Input for arguments can always be done in any of the above forms, except if stated otherwise.

字符格式

String Formatting

This section explains the simple string formatter built into x64dbg.

The basic syntax is {?:expression} where ? is the optional type of the expression. The default type is x. To output { or } in the result, escape them as {{ or }}.

Types

• d signed decimal: -3
• u unsigned decimal: 57329171
• p zero prefixed pointer: 0000000410007683
• s string pointer: this is a string
• x hex: 3C28A
• a address info: 00401010 <module.EntryPoint>
• i instruction text: jmp 0x77ac3c87

Complex Type

// "[]" 中括号表示可选的意思

{mem;size@address} will print the size bytes starting at address in hex.

{winerror@code} will print the name of windows error code(returned with GetLastError()) and the description of it(with FormatMessage). It is similar to ErrLookup utility.

{ntstatus@code} will print the name of NTSTATUS error code and the description of it(with FormatMessage).

{ascii[;length]@address} will print the ASCII string at address with an optional length (in bytes).

{ansi[;length]@address} will print the ANSI string at address with an optional length (in bytes).

{utf8[;length]@address} will print the UTF-8 string at address with an optional length (in bytes).

{utf16[;length]@address} will print the UTF-16 string at address with an optional length (in words).

{disasm@address} will print the disassembly at address (equivalent to {i:address}).

{modname@address} will print the name of the module at address.

{bswap[;size]@value} will byte-swap value for a specified size (size of pointer per default).

Examples

• rax: {rax} formats to rax: 4C76
• password: {s:4*ecx+0x402000} formats to password: L"s3cret"
• {x:bswap(rax)} where rax=0000000078D333E0 formats to E033D37800000000 because of bswap fun which reverse the hex value
• {bswap;4@rax} where rax=1122334455667788 formats to 88776655

Logging

When using the log command you should put quotes around the format string (log "{mem;8@rax}") to avoid ambiguity with the ; (which separates two commands). See https://github.com/x64dbg/x64dbg/issues/1931 for more details.

Plugins

Plugins can use _plugin_registerformatfunction to register custom string formatting functions. The syntax is {type;arg1;arg2;argN@expression} where type is the name of the registered function, argNis any string (these are passed to the formatting function as arguments) and expression is any valid expression.

条件断点

Conditional Breakpoints

This section describes the conditional breakpoint capability in x64dbg.

Operations overview

When a breakpoint is hit, x64dbg will do the following things:

• If the breakpoint is an exception breakpoint, set the system variable $breakpointexceptionaddressto the exception address;
• Increment the hit counter;
• Set the system variable $breakpointcounter to the value of hit counter;
• If break condition is set, evaluate the expression (defaults to 1);
• If fast resume is set and break condition evaluated to 0:
  • Resume execution of the debuggee (skip the next steps). This will also skip executing plugin callbacks and GUI updates.
• If log condition is set, evaluate the expression (defaults to 1);
• If command condition is set, evaluate the expression (defaults to break condition);
• If break condition evaluated to 1 (or any value other than ‘0’):
  • Print the standard log message; (if the breakpoint is set to be silent, standard log message is supressed.)
  • Execute plugin callbacks.
• If log text is set and log condition evaluated to 1 (or any value other than ‘0’):
  • Format and print the log text (see String Formatting).
• If command text is set and command condition evaluated to 1:
  • Set the system variable $breakpointcondition to the break condition;
  • Set the system variable $breakpointlogcondition to the log condition;
  • Execute the command in command text;
  • The break condition will be set to the value of $breakpointcondition. So if you modify this system variable in the script, you will be able to control whether the debuggee would break.
• If break condition evaluated to 1 (or any value other than ‘0’):
  • Break the debuggee and wait for the user to resume.

If any expression is invalid, the condition will be triggered (That is, an invalid expression as condition will cause the breakpoint to always break, log and execute command).

Hit counter

A hit counter records how many times a breakpoint has been reached. It will be incremented unconditionally, even if fast resume is enabled on this breakpoint. It may be viewed at breakpoint view and reset with ResetBreakpointHitCount.

Logging

The log can be formatted by x64dbg to log the current state of the program. See formatting on how to format the log string.

Notes

You can set a conditional breakpoint with GUI by setting a software breakpoint(key F2) first, then right-click on the instruction and select “Edit breakpoint” command from the context menu. Fill in the conditional expression and/or other information as necessary, then confirm and close the dialog.

You should not use commands that can change the running state of the debuggee (such as run) inside the breakpoint command, because these commands are unstable when used here. You can use break condition, command condition or $breakpointcondition instead.

If you don’t know where the condition will become true, try conditional tracing instead!

Examples

A conditional breakpoint which never breaks

break condition: 0

A conditional breakpoint which breaks only if EAX and ECX both equal to 1

break condition: EAX==1 && ECX==1

A conditional breakpoint which breaks only if EAX is a valid address

break condition: mem.valid(EAX)

A conditional breakpoint which breaks on the third hit

break condition: $breakpointcounter==3 or ($breakpointcounter%3)==0

A conditional breakpoint which breaks only if executed by the thread 1C0

break condition: tid()==1C0