I am trying to examine the assembly for an executable using WinDBG, but I am having a hard time getting to it. I want to set a breakpoint at the first instruction in my program, but when I try to do that manually (using the address of the module), WinDBG tells me that it is “unable to insert breakpoint” at that location due to an “Invalid access to memory location.”
I notice that when I create a breakpoint through the source code GUI, the address is not the same as the first part of my module (In my example: “Win32FileOpen”, a simple program I wrote.) Is there a header of some sort that requires adding an offset to the address of my module?
In another question, I saw the suggestion: “I would attempt to calculate the breakpoint address as: Module start + code start + code offset” but was unsure where to obtain those values. Can somebody please elaborate on this?
The reason I don’t just use the source GUI is that I want to be able to do this with a program that I may not have the source/symbols for.
If there is an easier way to immediately start working with the executable I open, please let me know. (e.g. Opening an .exe Olly immediately shows me the assembly for that .exe, searching for referenced strings gives me results from that module, etc. WinDBG seems to start me off in ntdll.dll, which is not usually useful for me.)
0:000> lm
start end module name
00000000`00130000 00000000`0014b000 Win32FileOpen C (private pdb symbols) C:\cfinley\code\Win32FileOpen\Debug\Win32FileOpen.pdb
00000000`73bd0000 00000000`73c2c000 wow64win (deferred)
00000000`73c30000 00000000`73c6f000 wow64 (deferred)
00000000`74fe0000 00000000`74fe8000 wow64cpu (deferred)
00000000`77750000 00000000`778f9000 ntdll (pdb symbols) c:\symbols\mssymbols\ntdll.pdb\15EB43E23B12409C84E3CC7635BAF5A32\ntdll.pdb
00000000`77930000 00000000`77ab0000 ntdll32 (deferred)
0:000> bu 00000000`00130000
0:000> bl
0 e x86 00000000`001413a0 0001 (0001) 0:**** Win32FileOpen!main <-- One that is generated via GUI
1 e x86 00000000`00130000 0001 (0001) 0:**** Win32FileOpen!__ImageBase <-- One I tried to set manually
0:000> g
Unable to insert breakpoint 1 at 00000000`00130000, Win32 error 0n998
"Invalid access to memory location."
bp1 at 00000000`00130000 failed
WaitForEvent failed
ntdll!LdrpDoDebuggerBreak+0x31:
00000000`777fcb61 eb00 jmp ntdll!LdrpDoDebuggerBreak+0x33 (00000000`777fcb63)
You should be able to list all the entry points for your dll using the following:
but be warned this will list everything,
if you wanted just Win32FileOpen:
will list all that match, this will list the correct addresses that you can set the breakpoint on.
Your other question about offsets, you can set a breakpoint on a method name or address and add an offset:
If you open the exectuable it will debugbreak immediately and probably not start loading your dlls, if this is an issue then you can set unresolved breakpoints:
or just attach when the app starts, list the strings and then set the breakpoints.
You may also consider setting breakpoints on source line:
where XXX is the line number, note you must use grave accents to demark the source line, hope this helps.
Edit
Just found this link which may be of interest for you: http://mattoh.wordpress.com/2010/08/06/setting-breakpoint-on-entry-poin-with-windbg/
also one of the commentators pointed to one of the pseudo registers which allows you to set the bp on the entry point for your exe:
or