I need to set breakpoint in debugger windbg when address in register points to memory block with some pattern and that pattern is not fixed to offset something like
bp ws2_32!sendto "j s @rdx @rdx+100 53 65 6e 64 g"
how to write this condition properly? so i need to break on sendto only when in range of address inside rdx and rdx+100 there is this pattern 53 65 6e 64
bp ws2_32!sendto ".if(s @rdx @rdx+100 53 65 6e 64) == 0 { g }" error too
The problem is that s does not make up a valid condition. It either prints a result or not.
Preparation for the demonstration
2:007> .dvalloc 1000
Allocated 1000 bytes starting at 003b0000
2:007> eb 003b0000 53 65 6e 64
2:007> db 003b0000 L10
003b0000 53 65 6e 64 00 00 00 00-00 00 00 00 00 00 00 00 Send............
A test using s
2:007> s-a 003b0000 L100 "Send"
003b0000 53 65 6e 64 00 00 00 00-00 00 00 00 00 00 00 00 Send............
2:007> s-a 003b0000 L100 "Test"
You can use .foreach on the output of s. It will run the command for every word in the output, which is too much:
2:007> .foreach (output {s-a 003b0000 L100 "Send"}) { .echo "found" }
found
found
found
found
[...]
So let's use the fact that s has a special option for outputting just the address
2:007> .foreach (output {s-[1]a 003b0000 L100 "Send"}) { .echo "found" }
found
I can't repro with your breakpoint at the moment, but it should look like
bp ws2_32!sendto ".foreach (output {s-[1]a @rdx L100 "Send"}) { g }"
This should also work when searching for bytes instead of ASCII string and with a register instead of an address
2:007> r eax = 003b0000
2:007> .foreach (output {s-[1]b @eax L100 53 65 6e 64}) { .echo "found" }
found