Fravia's TOOLS OF OUR TRADE Messageboard ~ Moderated
Re: break on specific registry key access
Sunday, 21-Feb-99 06:20:37
The problem with what you are asking is that it involves a few unknowns.
When a registry function is called, a pointer to a string containing the registry key to open is pushed onto the stack.
Thus, you have to look through the program's data section and find, say, the address of the string "HKEY_LOCAL_MACHINE\Software\DorkyVBApp\RegKey"
Supposing that the string is at address 40109999, then your conditional breakpoint logioc would look something like
Break on RegQueryKey if [stack offset] = 4010999
This problem is compounded by having to know the offset from the top of the stack that the addressed will be pushed in [you can do this by counting the number of parameters before it, multiplying this by 4, and subtracting from ebp]. If the program was compiled using the fast-this option, though, the first 4 parameters will be passed via registers, so this method is not very accurate.
What UI would suggest instead is running RegMon before hand, counting the number of calls to that function before the one you want, and setting a conditional breakpoitn that will only stop after that count # of times.
I haven't used soft-ice in 8 months-- you'll have to look up the specific BPX syntax in the manual :)
_m
mammon_