3

I'm currently debugging a program using x64dbg, and I'm struggling to set up a conditional breakpoint on the CreateFileW function:

HANDLE CreateFileW( [in] LPCWSTR lpFileName, [in] DWORD dwDesiredAccess, [in] DWORD dwShareMode, [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes, [in] DWORD dwCreationDisposition, [in] DWORD dwFlagsAndAttributes, [in, optional] HANDLE hTemplateFile );

Specifically, I need the breakpoint to trigger only when the function is called with a specific filename/path, such as "C:/my/file/txt.txt".

Despite searching online, I haven't found a clear solution for my scenario. Can anyone guide how to achieve this in x64dbg?

What I tried

I tried to set a conditional breakpoint with:

arg.get(0) == "C:/my/file/"

However, that doesn't work, it seemingly breaks on every file, no matter the path.

  • How can I set a conditional breakpoint for when the debugger is accessing the path of C:/my/file/bla.txt?
Improve this question
0

1 Answer 1

Reset to default
3

You can use expression functions to achieve what you want, specifically the streq/strstr functions.

To break when a specific file is accessed:

streq(utf16(arg.get(0)), "C:\my\file\bla.txt")

To break if a file in a specific folder in accessed:

strstr(utf16(arg.get(0)), "C:\my\folder")

I recommend testing individual subexpressions by putting them in the command bar while paused at the unconditional CreateFileW breakpoint. This makes it easier to debug potential issues (for example using a / as formulated in your question would not work and might be frustrating to find out without doing this).

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.