 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
skynet888
!BEWARE! Deletes post on answer
![]() Reputation: 1
Joined: 12 Apr 2021
Posts: 82
|
 Posted: Fri Mar 20, 2026 6:43 pm Post subject: Kernelmode debugger can't break at ntdll.LdrLoadDll after CR |
 |
|
Hi Darkbyte,
Even when I first create a process with CREATE_SUSPENDED and set a breakpoint on ntdll.LdrLoadDll using Cheat Engine's kernelmode debugger, it still never breaks. However, all the other debuggers in CE work fine at this location. Could you explain why?
Is there any possibility that CE's kernelmode debugger will support breaking at this point in the future? Or alternatively, can I first break at ntdll.LdrLoadDll using one of CE's other debuggers, then switch to the kernelmode debugger without restarting CE?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25899
Location: The netherlands
|
| Posted: Sat Mar 21, 2026 2:41 am Post subject: |
|
|
do you mean kernelmode debugger or dbvm level debugger ?
anyhow, use the windows debugger. Write an eb fe there, detach the debugger and then change to kernelmode debugger, attach, set a breakpoint on the next instruction and restore the eb fe with the original code
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
skynet888
!BEWARE! Deletes post on answer
![]() Reputation: 1
Joined: 12 Apr 2021
Posts: 82
|
| Posted: Sat Mar 21, 2026 5:07 am Post subject: |
|
|
| Dark Byte wrote: | do you mean kernelmode debugger or dbvm level debugger ?
anyhow, use the windows debugger. Write an eb fe there, detach the debugger and then change to kernelmode debugger, attach, set a breakpoint on the next instruction and restore the eb fe with the original code |
Thanks, I was referring to the kernel-mode debugger.It seems that the DBVM-level debugger doesn't work in VMware virtual machines, so I have to rely on kernel-mode debugging instead.
But You didn’t get what I meant.What I’m saying is: I first create process A with CREATE_SUSPENDED. At this point, the process is suspended right after only ntdll.dll is loaded, with no other DLLs loaded yet, and LdrInitializeThunk hasn’t been executed.
Even if I set breakpoints on ntdll!LdrInitializeThunk or ntdll!LdrLoadDll at this exact moment with the kernel-mode debugger, then resume process A, the breakpoints will never hit.
However, if I switch to the Windows debugger, it can break at LdrInitializeThunk without any problem.But the Windows debugger has all kinds of weird issues when debugging packed ring3 programs, so I only use the kernel-mode debugger.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
