HardWare BreakPoints The Definitive Guide
When i wantet to use these , i found that the Lack of information on the internet was
simply very very lacking , it was very hard to find a example or the likes and what i
found was not very well dokumented or usefull/working so i decided to write my own
paper about it , so here it goes.
Understanding Hardware BreakPoints
Hardware Breakpoints are breakpoints which are placed in the CPU’s DebugRegisters,
the CPU has 8 of these , DR0 -> DR7. the first 4 registers are reserved for the Addresses
of the data to Break on. DR4 to DR5 are reserved . DR6 is the status register it has the
• B0 through B3 (breakpoint condition detected) flags (bits 0 through 3)
— Indicates (when set) that its associated breakpoint condition was met when a
debug exception was generated. These flags are set if the condition described for
each breakpoint by the LENn, and R/Wn flags in debug control register DR7 is
true. They are set even if the breakpoint is not enabled by the Ln and Gn flags in
• BD (debug register access detected) flag (bit 13) — Indicates that the next
instruction in the instruction stream accesses one of the debug registers (DR0
through DR7). This flag is enabled when the GD (general detect) flag in debug
control register DR7 is set. See Section 18.2.4, “Debug Control Register (DR7),”
for further explanation of the purpose of this flag.
• BS (single step) flag (bit 14) — Indicates (when set) that the debug exception
was triggered by the single-step execution mode (enabled with the TF flag in the
EFLAGS register). The single-step mode is the highest-priority debug exception.
When the BS flag is set, any of the other debug status bits also may be set.
• BT (task switch) flag (bit 15) — Indicates (when set) that the debug
exception resulted from a task switch where the T flag (debug trap flag) in the
TSS of the target task was set. See Section 6.2.1, “Task-State Segment (TSS),”
for the format of a TSS. There is no flag in debug control register DR7 to enable
or disable this exception; the T flag of the TSS is the only enabling flag.
Dr7 is out logic register , it holds our break conditions and if the Breakpoints are active.
Read more in the Intel Manual 3b
That’s Cool , But how do I use em ?
Heres the Real interesting part of the little text the example of how to use the Debug
//Set your context flags like this
this->cx.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
//Creates a Hardware Break on Execute Breakpoint
bool DebugEngine::SetBreakOnExecute(DWORD addr)
cx.Dr0 = addr; // set Bp addr
cx.Dr7 = 0x1; //activate it
and now the Debug Look to Catch our BP , This is a text-book example of
a debugger loop from MSDN , now the interesting thing is here that I
figured that I would have to check for an EXCEPTION_BREAKPOINT but this
turned out to be false , and in fact a Hardware Breakpoint raises a
bool DebugEngine::DebugLoop(DWORD Dst,LPDEBUG_EVENT DebugEv)
DWORD dwContinueStatus = DBG_CONTINUE; // exception continuation
DWORD Hit = false;
while(Hit != true)
//We hit our BP ..do what we gotta do
I hope this helps some ppl out there , it sure helped me. I this
dokument is not done and this only the first draft , but im not sure I
will have a reason to update it. As it already contains all you need to
know to create Hardware Breakpoints now.