Descriptor of the hardware breakpoint. Plugin are not allowed to modify this structure directly. Instead, they must call corresponding API functions.
typedef struct t_bphard { // Hardware breakpoints
ulong index; // Index of the breakpoint (0..NHARD-1)
ulong dummy; // Must be 1
ulong type; // Type of the breakpoint, TY_xxx+BP_xxx
ulong addr; // Address of breakpoint
ulong size; // Size of the breakpoint, bytes
int fnindex; // Index of predefined function
ulong limit; // Original pass count (0 if not set)
ulong count; // Actual pass count
ulong actions; // Actions, set of BA_xxx
ulong modbase; // Module base, used by .udd only
wchar_t path[MAXPATH]; // Full module name, used by .udd only
} t_bphard;
Members:
index
0-based index of the breakpoint. 80x86 CPUs support only 4 hardware breakpoints, therefore index can be only 0, 1, 2 or 3
dummy
Must be 1
type
Type of the
breakpoint, combination of the flags BP_xxx listed
below (and
possibly TY_xxx).
Basic type of the breakpoint, at least one is required. With some limitations, breakpoint may have several types at once:
addr
Basic type of the breakpoint, at least one is required. With some limitations, breakpoint may have several types at once:
BP_MANUAL -
permanent breakpoint set by user
BP_ONESHOT - one-shot breakpoint set by debugging engine. When this breakpoint is hit, OllyDbg removes BP_ONESHOT and pauses the debugged application
BP_TEMP - temporary breakpoint set by debugging engine or plugins. When this breakpoint is hit, OllyDbg removes BP_TEMP, performs actions associated with the breakpoint and continues execution
Access condition. The only allowed combinations are BP_READ, BP_READ|BP_WRITE and BP_EXEC:BP_ONESHOT - one-shot breakpoint set by debugging engine. When this breakpoint is hit, OllyDbg removes BP_ONESHOT and pauses the debugged application
BP_TEMP - temporary breakpoint set by debugging engine or plugins. When this breakpoint is hit, OllyDbg removes BP_TEMP, performs actions associated with the breakpoint and continues execution
BP_READ - break on read memory access
BP_WRITE - break on write memory access
BP_EXEC - break on code execution
Features
of the permanent breakpoint (BP_MANUAL),
a combination of zero or more of the following flags:BP_WRITE - break on write memory access
BP_EXEC - break on code execution
BP_DISABLED
- breakpoint is disabled
BP_COND - conditional breakpoint. Its action depends on the associated condition (name of type NM_HARDCOND)
BP_PERIODICAL - periodical breakpoint (pauses each limit-th break)
When to
pause execution when permanent breakpoint is hit, one of the following
flags:BP_COND - conditional breakpoint. Its action depends on the associated condition (name of type NM_HARDCOND)
BP_PERIODICAL - periodical breakpoint (pauses each limit-th break)
BP_NOBREAK - no pause
BP_CONDBREAK - pause when condition is true
BP_BREAK - pause always
When
to protocol the value of expression (name
of type NM_HARDEXPR), one of
the following flags:BP_CONDBREAK - pause when condition is true
BP_BREAK - pause always
BP_NOLOG - don't
protocol
BP_CONDLOG - protocol if condition is true
BP_LOG - protocol always
When
to protocol the arguments of the function that is called or begins at addr (applies only to the breakpoints of type BP_EXEC), one of
the following flags:
BP_CONDLOG - protocol if condition is true
BP_LOG - protocol always
BP_NOARG - don't
protocol
BP_CONDARG - protocol if condition is true
BP_ARG - protocol always
When
to protocol the value returned by a call to function (applies only to the breakpoints of type BP_EXEC), one of
the following flags:BP_CONDARG - protocol if condition is true
BP_ARG - protocol always
BP_NORET - don't
protocol
BP_CONDRET - protocol if condition is true
BP_RET - protocol always
BP_CONDRET - protocol if condition is true
BP_RET - protocol always
Address of the first byte of the memory covered by the breakpoint
size
Size of the memory covered by the breakpoint. For breakpoints of type BP_READ and BP_READ|BP_WRITE this size can be 1, 2 or 4 bytes. If size is 2, addr must be word-aligned. If size is 4, addr must be doubleword-aligned. For hardware breakpoints of type BP_EXEC, size must be 1
fnindex
Internal
index of the predefined function that should be used to protocol
function arguments
limit
Original
pass count, or 0 if pass count is not set
count
Current
pass count
actions
Special
actions associated with breakpoint of type BP_TEMP, a
combination of zero or more of the following flags:
BA_PERMANENT - permanent temporary breakpoint. OllyDbg sets them on important system routines, like ZwContinue()
BA_PLUGIN - when breakpoint is hit, OllyDbg passes this event to ODBG2_Plugintempbreakpoint()
modbase
BA_PERMANENT - permanent temporary breakpoint. OllyDbg sets them on important system routines, like ZwContinue()
BA_PLUGIN - when breakpoint is hit, OllyDbg passes this event to ODBG2_Plugintempbreakpoint()
For internal use
path
For internal use
See also: