t_bphard
Descriptor
of the hardware breakpoint.
Plugin are not allowed to modify this structure directly. Instead, they
must call corresponding API functions.
typedef struct t_bphard { // Hardware breakpoints
ulong
index;
// Index of the breakpoint (0..NHARD-1)
ulong
dummy;
// Must be 1
ulong
type;
// Type of the breakpoint, TY_xxx+BP_xxx
ulong
addr;
// Address of breakpoint
ulong
size;
// Size of the breakpoint, bytes
int
fnindex;
// Index of predefined function
ulong
limit;
// Original pass count (0 if not set)
ulong
count;
// Actual pass count
ulong
actions;
// Actions, set of BA_xxx
ulong
modbase;
// Module base, used by .udd only
wchar_t
path[MAXPATH]; // Full module
name, used by .udd only
} t_bphard;
Members:
index
0-based index of the breakpoint. 80x86 CPUs support only 4 hardware breakpoints, therefore index can be only 0, 1, 2 or 3
dummy
Must be 1
type
Type of the
breakpoint, combination of the flags BP_xxx listed
below (and
possibly TY_xxx).
Basic type
of the breakpoint, at least one is required. With some limitations, breakpoint may have
several types at once:
BP_MANUAL -
permanent breakpoint set by user
BP_ONESHOT -
one-shot breakpoint set by debugging engine. When this breakpoint is
hit, OllyDbg removes BP_ONESHOT
and pauses the debugged application
BP_TEMP - temporary
breakpoint set by debugging engine or plugins. When this breakpoint is
hit, OllyDbg removes BP_TEMP, performs actions associated with the breakpoint and continues
execution
Access condition. The only allowed combinations are BP_READ, BP_READ|BP_WRITE and BP_EXEC:
BP_READ - break on read memory access
BP_WRITE - break on write memory access
BP_EXEC - break on code execution
Features
of the permanent breakpoint (BP_MANUAL),
a combination of zero or more of the following flags:
BP_DISABLED
- breakpoint is disabled
BP_COND -
conditional breakpoint. Its action depends on the associated condition (name
of type NM_HARDCOND)
BP_PERIODICAL -
periodical breakpoint (pauses each limit-th break)
When to
pause execution when permanent breakpoint is hit, one of the following
flags:
BP_NOBREAK - no pause
BP_CONDBREAK - pause
when condition is true
BP_BREAK - pause
always
When
to protocol the value of expression (name
of type NM_HARDEXPR), one of
the following flags:
BP_NOLOG - don't
protocol
BP_CONDLOG -
protocol if condition is true
BP_LOG - protocol
always
When
to protocol the arguments of the function that is called or begins at addr (applies only to the breakpoints of type BP_EXEC), one of
the following flags:
BP_NOARG - don't
protocol
BP_CONDARG -
protocol if condition is true
BP_ARG - protocol
always
When
to protocol the value returned by a call to function (applies only to the breakpoints of type BP_EXEC), one of
the following flags:
BP_NORET - don't
protocol
BP_CONDRET -
protocol if condition is true
BP_RET - protocol
always
addr
Address of the first byte of the memory covered by the breakpoint
size
Size of the memory covered by the breakpoint. For breakpoints of type BP_READ and BP_READ|BP_WRITE this size can be 1, 2 or 4 bytes. If size is 2, addr must be word-aligned. If size is 4, addr must be doubleword-aligned. For hardware breakpoints of type BP_EXEC, size must be 1
fnindex
Internal
index of the predefined function that should be used to protocol
function arguments
limit
Original
pass count, or 0 if pass count is not set
count
Current
pass count
actions
Special
actions associated with breakpoint of type BP_TEMP, a
combination of zero or more of the following flags:
BA_PERMANENT
- permanent temporary breakpoint. OllyDbg sets them on important system
routines, like ZwContinue()
BA_PLUGIN -
when breakpoint is hit, OllyDbg passes this event to ODBG2_Plugintempbreakpoint()
modbase
For internal use
path
For internal use
See
also: