6

I'm debugging an application in OllyDbg, I pause the program at a specific place. Now I am deep inside ntdll and other gui related module calls, judging from the stack. I'ld like to break as soon as the application returns to any function within a specified (the main) module. Is there such breakpoint condition? How can I do this?

Dominik Antal
  • 2,038
  • 22
  • 39

2 Answers2

7

Go to the memory window in Ollydbg. Find the code section (usually .text) of the module you want to break on return to. Right click the memory section and set break-on-access or hit F2. You'll break once execution reaches that memory. You can also change the memory access to read only and you'll get an exception when execution hits that memory segment.

You can also use a trace and set a conditional stop when EIP is within a certain range, to do this simply set the condition by going to Debug, Set Condition (Ctrl+T). Then start the trace with Debug, Trace Into (Ctrl+F11)or Debug, Trace Over (Ctrl+F12). This will enable you to see where you came from, even if the call is indirect.

It's not guaranteed to be on return but if you're in a different module it's fairly likely that the return is when the first execution happens. You could also be triggering on calls through imports, through object vtables or some other mechanism. You'd need to study the state you're in when the break hits.

Peter Andersson
  • 5,701
  • 1
  • 32
  • 49
  • I've never would have thought that I can set break "point" on a whole memory section... wow. – Dominik Antal Jan 08 '14 at 08:48
  • 1
    I haven't studied the mechanism in detail but the way I would solve it if I were writing a debugger is to set the entire memory region as no access then the debugger catches the exception when an attempt to access it is made. That way you would get a sort of memory region breakpoints. I'm not sure how OllyDbg implements it. – Peter Andersson Jan 08 '14 at 08:54
  • Related. – Dominik Antal Jan 08 '14 at 09:52
  • How do you "find the code section" in memory? How do I determine where in memory my program has been loaded? Edit: I just realised if you expand the memory section you can easily find it, thanks. – rollsch Jul 09 '16 at 07:34
4

In normal condition alt+f9 execute till user code should get you back to user code

blabb
  • 16,376
  • 1
  • 15
  • 30