发表新帖
发表新帖

How to set breakpoint at the very beginning of program execution

后端 未结
关注
7 1145
眼角桃花
眼角桃花 2020-11-29 08:37

How can I stop the program before loading any of the linked DLLs?

I\'ve tried to set LoadLibraryExW function in the Break At Function debug

相关标签:
7条回答
  • 南方客
    2020-11-29 09:14

    ntdll.dll is loaded by the kernel, during process creation. I don't know about the other dlls specifically, but they're most likely also loaded by the kernel.

    As far as I'm aware, what you're trying to do can't be done, unless you were to write a rootkit to overwrite part of the process creation code. Even then, I'm not sure if the process being created is really considered a process before these libraries are loaded.

    0 讨论(0)
  • 无人共我
    2020-11-29 09:20

    I don't think you can do this with the regular user-mode debugger in Visual Studio. Microsoft provides a free toolkit of other debugging tools, including kd (kernel debugger) and windbg, that might be able to interrupt the loading, but I doubt you'll ever be able to inspect the process before it loads ntdll. It's not really a process at that point.

    What are you trying to accomplish?

    0 讨论(0)
  • 野性不改
    2020-11-29 09:23

    Instead of starting with F5, just start debugging with F11 or F10.

    0 讨论(0)
  • 清歌不尽
    2020-11-29 09:34

    One way to break very early on is to manually add a Function Breakpoint on LdrInitializeThunk. This does not break before ntdll, but should be before any static initalization or user code

    0 讨论(0)
  • 被撕碎了的回忆
    2020-11-29 09:37

    There is no way to do this because DLLs that your PE-executable depend on are loaded by system (not by your process) before the process is even created. The process starts only when your executable is linked with all the functions imported from other DLLs.

    ADD: But of course DllMain routines are running for every DLL only when process is started and you may debug them.

    0 讨论(0)
  • 一整个雨季
    2020-11-29 09:39

    You can do this by adding a registry key to "Image File Execution Options" with the name of your exe. Add a value of type string named "Debugger" and set it to vsjitdebugger.exe to launch the just-in-time debugger dialog. Which then lets you pick one of the available debuggers, including Visual Studio. This dialog is triggered right after Windows has loaded the EXE, before any code starts running.

    Here's is a sample .reg file that triggers the dialog when you start notepad.exe. Modify the key name to your .exe:

    REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
"Debugger"="vsjitdebugger.exe"
    0 讨论(0)
 看不清?
提交回复
热议问题