Search code examples
c#pinvokewindbg

WinDbg "invalid access to memory location" - InitializeProcThreadAttributeList

I'm relatively new to WinDbg, so I'm hoping this is just something obvious I'm missing. I have a .NET assembly that contains the function calls InitializeProcThreadAttributeList, UpdateProcThreadAttribute and DeleteProcThreadAttributeList, defined using P/Invoke. All three of those functions are imported from the "kernel32.dll" library. My goal is to trace these functions to understand the ntdll sys calls being used.

I tried to set a breakpoint with this command:

bp KERNEL32!InitializeProcThreadAttributeList

, but got this error:

Couldn't resolve error at 'KERNEL32!InitializeProcThreadAttributeList'

Next, I searched for any sign of this function using the following command:

x kernel32!*procthread*

I got this reply:

00007ffd`c7598588 KERNEL32!_imp_InitializeProcThreadAttributeList = <no type information>

I then tried to set a breakpoint on this stub? function like this:

bp kernel32!_imp_InitializeProcThreadAttributeList

Although it says the breakpoint has been defined, when I continue execution, it errors with this:

Unable to insert breakpoint 0 at 00007ffd`c7598588, Win32 error 0n998
    "Invalid access to memory location."

I also tried setting the breakpoint with "bu", but that produced the same error.

Does anyone know how to set a breakpoint in this situation? Thank you in advance!

Solution

  • Most of the functions in kernel32 have been implemented in kernelbase.dll and kernel32 only contains a thunk

    the telltale sign is the IMP denoting imported from

    _imp_InitializeProcThreadAttributeList

    try setting bp kernelbase!InitializeProcThreadAttributeList

    0:000> x /v kernel32!InitializeProcThreadAttributeList
pub func   761f4fc1             0 kernel32!InitializeProcThreadAttributeList (<no parameter info>)

0:000> u kernel32!InitializeProcThreadAttributeList l1
kernel32!InitializeProcThreadAttributeList:
761f4fc1 ff25c0181476    jmp dword ptr [kernel32!_imp__InitializeProcThreadAttributeList (761418c0)]

0:000> ? poi(kernel32!_imp__InitializeProcThreadAttributeList)
Evaluate expression: 1978493618 = 75ed6ab2

0:000> ln poi(kernel32!_imp__InitializeProcThreadAttributeList)
Exact matches:
    KERNELBASE!InitializeProcThreadAttributeList (<no parameter info>)


0:000> bp poi(kernel32!_imp__InitializeProcThreadAttributeList)
0:000> bl
 0 e 75ed6ab2     0001 (0001)  0:**** KERNELBASE!InitializeProcThreadAttributeList