Using SoftICE for Windows NT, I would like to break when a context switch occurs. How do I do this?


You can set a BPX on the Windows the NT function, SwapContext(), and force it to break if a certain condition is met, such as the context for your thread is getting loaded.  For example,

BPX ntoskrnl!SwapContext IF (EDI == 0xFF8B4020)

The actual value to test against EDI is different. You will need to use the THREAD command to obtain the Kernel TEB to test against EDI.

NOTE: 1. You will need to load symbols on ntoskrnl to get the SwapContext function.  2. This is version dependent, and may not work on newer versions of NT.  Microsoft may change the symbol name or use different register to store the Kernel Thread Environment Block.

