X86: Is it possible to debug a break when a specific pointer to a string is pushed onto the stack?
I am debugging a third party DLL for which I have no source code. This DLL maintains a string pool. I want to catch the earliest occurrence where one of these lines is passed to a function ... any function at all ...
In other words, I want to detect when a pointer-to-null-terminated string in a specific format is pushed onto the stack ... by someone, and I want to debug Debug when that happens.
I know that you can set a "break-on-access" breakpoint that will fire when the CPU reads / writes / executes a specific address. What I want is like this: for every line pushed onto the stack, I want to test it in a specific format, and if it matches, do a break.
Using WinDbg, OllyDb, VS2008, any ideas?
Thank!
I would say this is not possible with your requirements:
I want to detect when a string is pointer to null with a specific format
As in the previous answer, you should be able to match your string to anything as soon as your breakpoints are
I want to catch the earliest occurrence where one of these lines is passed to a function ... any function at all ... What I want is like this: for every line pushed onto the stack, I want to test it in a specific format and if it matches, do the break.
Thus, you need to determine when any function with a specific pointer parameter on the stack is called - this is the "impossible" part. In theory there are several ways to do this, but they should get slower and more complex ... And what if a function receives a pointer to a pointer that has a tracked value, or an array containing that pointer ...
What are you trying to achieve? Why do you need a place where the string is first passed to the function? Using a string is what is most often important, and as you know you can break this with a simple memory access point (if the string is ever copied, add another breakpoint).
I would recommend that you take a different approach, use a disassembler, and do some more static analyzes with a bit of debugging to get to what you need ...
source to share