I'm debugging an app without sources, i use IDA PRO + Windbg as the debugger. I'm trting to catch calls to CloseHandle with the specific handle value, for example handle=0x14
I put a conditional breakpoint like so:
bp kernel32!CloseHandle "j (poi(@esp+4)=0x00000014) ''; 'gc'"
The breakpoints sets normally, but it breaks on every call to CloseHandle, contrary to what i'm trying, to break only if the first argument equals 0x14
you have a missing = the conditional equals operator needs two == not a single =
0:000> bp kernel32!CloseHandle ".if(poi(@esp+4)!=0xcc) {? dwo(@esp+4);gc}.else{? dwo(@esp+4);.echo our handle;gc}"
0:000> g
Evaluate expression: 60 = 0000003c
Evaluate expression: 56 = 00000038
Evaluate expression: 204 = 000000cc <------
our handle <-------------
Evaluate expression: 200 = 000000c8
Evaluate expression: 256 = 00000100
Evaluate expression: 272 = 00000110
Evaluate expression: 280 = 00000118
Evaluate expression: 308 = 00000134
Evaluate expression: 312 = 00000138
Evaluate expression: 308 = 00000134
Evaluate expression: 324 = 00000144
Evaluate expression: 328 = 00000148
Evaluate expression: 324 = 00000144