Breakpoints
Last updated
Was this helpful?
IDA 8.4
Last updated
Was this helpful?
Here are the commands to use the debugger breakpoints.
Related topics:
See also .
Opens the breakpoints window.
In this window, you can view information related to existing breakpoints. Breakpoints are saved in the database, and restored as soon as possible (once the memory becomes writeable).
The 'Pass count' column indicates how many times the program needs to hit the breakpoint before being suspended (0 means "always suspend").
This command opens a dialog box to edit an existing breakpoint.
Location
Settings
Actions
Please note that hardware breakpoints occur AFTER the instruction execution while software breakpoints occur BEFORE the instruction.
Usually, it is easier to use software breakpoints, except if:
See also
This command deletes an existing breakpoint at the current address.
Page breakpoints are memory access breakpoints that can be set to detect when the application reads, writes, or executes code/data in a specific memory range. Page breakpoints are very similar to hardware breakpoints but there is no limitation on the number of page breakpoints that can be set or their size, in contrast with normal hardware breakpoints.
Memory access breakpoints are implemented by removing page permissions according to the specified type of the page breakpoint to be added (for example, for a write page breakpoint, the write permission will be removed from the page). When the access violation exception occurs because the application tries to access the specific memory region, IDA reports a breakpoint hit.
As page breakpoints can be set for a small part of a memory page but the permissions of the whole page must be changed, page breakpoints can slow down the debugger because many access violation exceptions may be generated. If the application accesses memory outside of the desired range but on the same page, the generated exception must be silently handled and the application resumed. Specifically, page breakpoints in the code segment can slow down the debugger very much.
Memory access breakpoints are supported since IDA version 6.3 for the following debuggers:
Win32
WinDbg
Bochs
Open the breakpoints window if needed, then find current breakpoint in it.
Expressions
Statements
See also
Low level breakpoint conditions can be used to speed up the debugger. They are evaluated like this:
In both cases, there is a significant speed up. This improvement imposes some limitations on the breakpoint condition:
only functions marked as 'thread-safe' may be called
only entire registers can be accessed (e.g. EAX is ok but AL is not) Essentially this means that the only available functions are:
Low level breakpoint conditions are available only for Win32, Linux, Mac, and Android debuggers.
This command adds a breakpoint at the current address. If an instruction exists at this address, an instruction breakpoint is created. Otherwise, IDA offers to create a hardware breakpoint and allows the user to . Hardware breakpoints can be either real hardware breakpoints or .
Condition This expression will be evaluated each time the breakpoint is reached. If the expression returns true (non-zero), the debugger will execute the selected actions. Please note that you can use the register names in the IDC scripts when the debugger is active. Tests like this are allowed, for example: EAX == EBX+5 or get_wide_dword(ESP+0x10) == 34 You can also use the "..." button to enter a multiline condition, or specify another scripting language to use. See for more info.
Low level condition: Evaluate the condition on the remote computer. Such conditions are faster, especially during remote debugging, because there is no network traffic between IDA and the remote computer on each breakpoint hit.
Refresh debugger memory: By default IDA does not refresh the memory config before evaluating a breakpoint condition. This option enables the refresh. To refresh it manually, call
Tracing type: , and level tracing types can be selected for breakpoints where enable/disable tracing have been selected. Hardware breakpoint size Number of bytes to watch: 1, 2 or 4 bytes for normal hardware breakpoints. Any size for . Hardware breakpoint mode
In the case of Intel hardware breakpoints, some limitations are enforced (in contrast with ). It is impossible to create more than 4 hardware breakpoints. The address of the breakpoint must be aligned appropriately:
You can use the "Condition" field of the breakpoint properties to enter an expression which is evaluated when the breakpoint is hit. It can be either an actual condition or just any valid code in or another supported scripting language syntax. By using the "..." button, you can open a multi-line editor for the condition and switch the scripting language used for evaluating it.
only expressions can be used for low level conditions