I've been trying to use pykd to add hardware breakpoints on heap allocation functions in kernel mode. I'm experiencing a problem where after a few executions the kernel halts with a "Single step exception - code 80000004 (first chance)" error despite me always returning False from the handler.
This is the output I'm getting, showing that it executes fine a few times then stops after a seemingly random number of executions.
```
>>> bps = [heap_trace.ExAllocatePoolWithTag(), heap_trace.ExFreePoolWithTag()]
>>> pykd.go()
ExAllocatePoolWithTag(00000000, 000000ee, 3377444e)
ExFreePoolWithTag(8753a0c0, 00000000)
ExFreePoolWithTag(874e1b98, 00000000)
ExFreePoolWithTag(90f1a600, 00000000)
ExFreePoolWithTag(8729cb80, 00000000)
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>> pykd.go()
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>> [bp.remove() for bp in bps]
[None, None]
>>> pykd.go()
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>>
```
The code I have been using is posted [here on pastebin](http://pastebin.com/7Qh5y2X7).
Additionally after removing the breakpoints, the kernel continues to stop at those locations. The only way I've found that seems to fix it is in WinDBG setting a hardware breakpoint on the same address and then clearing it.
I'm using PyKd x86 0.3.1.1 with Python 2.7.10 and Windbg 6.11.0001.404
Any assistance or feedback would be very much appreciated, thank you.
Comments: ** Comment from web user: EreTIk **
This is the output I'm getting, showing that it executes fine a few times then stops after a seemingly random number of executions.
```
>>> bps = [heap_trace.ExAllocatePoolWithTag(), heap_trace.ExFreePoolWithTag()]
>>> pykd.go()
ExAllocatePoolWithTag(00000000, 000000ee, 3377444e)
ExFreePoolWithTag(8753a0c0, 00000000)
ExFreePoolWithTag(874e1b98, 00000000)
ExFreePoolWithTag(90f1a600, 00000000)
ExFreePoolWithTag(8729cb80, 00000000)
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>> pykd.go()
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>> [bp.remove() for bp in bps]
[None, None]
>>> pykd.go()
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pykd.pykd.executionStatus.Break
>>>
```
The code I have been using is posted [here on pastebin](http://pastebin.com/7Qh5y2X7).
Additionally after removing the breakpoints, the kernel continues to stop at those locations. The only way I've found that seems to fix it is in WinDBG setting a hardware breakpoint on the same address and then clearing it.
I'm using PyKd x86 0.3.1.1 with Python 2.7.10 and Windbg 6.11.0001.404
Any assistance or feedback would be very much appreciated, thank you.
Comments: ** Comment from web user: EreTIk **
* Which version of target Windows do you use?
* Using the software break points have such problems?
* Using the WinDbg scripting have such problems? Something like this:
```
ba e 1 nt!ExAllocatePoolWithTag ".print \"%N\", poi(@$esp+4)"
```
P.S. [x64 Architecture, Calling Conventions](https://msdn.microsoft.com/en-us/library/ff561499(VS.85).aspx#calling_conventions)
> Unlike the x86, the C/C++ compiler only supports one calling convention on x64. This calling convention takes advantage of the increased number of registers available on x64:
>* The first four integer or pointer parameters are passed in the rcx, rdx, r8, and r9 registers