I am currently digging inside kernel part of windows GDI, and using WinDbg over serial cable for that. I wanted to place BP on the entry of some function (xxxyyyBlt in fact) that would fire only if the source or destination surface was for example larger than given dimensions. "Nothing too complicated" I thought, and I've written something like that (don't remember actual values, 'twas at work :
Code:
bp EngStretchBlt "j
((poi(poi(@ebp+0x08)+0x10)>0xffff) or
(poi(poi(@ebp+0x08)+0x14)>0xffff) or
(poi(poi(@ebp+0x0c)+0x10)>0xffff) or
(poi(poi(@ebp+0x0c)+0x14)>0xffff))
'kp'; 'gc'"
Just grab some parameters from stack, dereference and compare. All went good till one of the BP hits returned "memory access error". Oh yes, not always both surfaces must be passed to this function. If one of them is null, we're getting dereference error. So, I added ((poi(@ebp+0x08)>0x1000) and (poi(@ebp+0x0c)>0x100)) and ... in front of the conditional expression hoping, that if the first part of AND turns false, the second one will not be evaluated. Alas, that was a false assumption: it seems that WinDbg always evaluates the whole expression. Hence my question to WinDbg gurus - how to do it properly? Maybe split into separate BPs?