top | item 39171009

(no title)

CSm1n | 2 years ago

It is a flag that says whether the loader data is initialized or not.

The layout of PEB_LDR_DATA “leaked” long time ago in public PDBs.

More context: It has nothing to do with debugging. However, if you attach to the process early enough, you might see the flag as 0 and eventually it would switch to 1. That is probably what threw him off.

discuss

lukan|2 years ago

"you might see the flag as 0 and eventually it would switch to 1"

Sorry, noob question: Were there easy avaiable tools (in the debugger), to monitor a variable like this and have the debugger stop exactly when it was going to change, so you could see which thread and function did it and why?

jasomill|2 years ago

Yes: many debuggers support setting watchpoints[1] that break on writes to a particular memory location.

Depending on the platform and the debugger, these can be implemented using CPU architecture-specific debugging features, or in software, by single-step program execution and checking watched addresses for changes after each step.

[1] https://sourceware.org/gdb/current/onlinedocs/gdb.html/Set-W...

DaiPlusPlus|2 years ago

Yes, x86 kernel-mode debuggers support hardware breakpoints that cause the attached debugger (running on a separate machine, of course) to break not just when a specific address/instruction is executed, but also whenever some address is written to (and also possibly read-from too, I think?)