Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I'm relatively new to WinDbg, so I'm hoping this is just something obvious I'm missing. I have a .NET assembly that contains the function calls InitializeProcThreadAttributeList, UpdateProcThreadAttribute and DeleteProcThreadAttributeList, defined using P/Invoke. All three of those functions are imported from the "kernel32.dll" library. My goal is to trace these functions to understand the ntdll sys calls being used.

I tried to set a breakpoint with this command:

bp KERNEL32!InitializeProcThreadAttributeList

, but got this error:

Couldn't resolve error at 'KERNEL32!InitializeProcThreadAttributeList'

Next, I searched for any sign of this function using the following command:

x kernel32!*procthread*

I got this reply:

00007ffd`c7598588 KERNEL32!_imp_InitializeProcThreadAttributeList = <no type information>

I then tried to set a breakpoint on this stub? function like this:

bp kernel32!_imp_InitializeProcThreadAttributeList

Although it says the breakpoint has been defined, when I continue execution, it errors with this:

Unable to insert breakpoint 0 at 00007ffd`c7598588, Win32 error 0n998
    "Invalid access to memory location."

I also tried setting the breakpoint with "bu", but that produced the same error.

Does anyone know how to set a breakpoint in this situation? Thank you in advance!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
4.3k views
Welcome To Ask or Share your Answers For Others

1 Answer

Most of the functions in kernel32 have been implemented in kernelbase.dll and kernel32 only contains a thunk

the telltale sign is the IMP denoting imported from

_imp_InitializeProcThreadAttributeList

try setting bp kernelbase!InitializeProcThreadAttributeList

0:000> x /v kernel32!InitializeProcThreadAttributeList
pub func   761f4fc1             0 kernel32!InitializeProcThreadAttributeList (<no parameter info>)

0:000> u kernel32!InitializeProcThreadAttributeList l1
kernel32!InitializeProcThreadAttributeList:
761f4fc1 ff25c0181476    jmp dword ptr [kernel32!_imp__InitializeProcThreadAttributeList (761418c0)]

0:000> ? poi(kernel32!_imp__InitializeProcThreadAttributeList)
Evaluate expression: 1978493618 = 75ed6ab2

0:000> ln poi(kernel32!_imp__InitializeProcThreadAttributeList)
Exact matches:
    KERNELBASE!InitializeProcThreadAttributeList (<no parameter info>)


0:000> bp poi(kernel32!_imp__InitializeProcThreadAttributeList)
0:000> bl
 0 e 75ed6ab2     0001 (0001)  0:**** KERNELBASE!InitializeProcThreadAttributeList

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...