Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Why do I get STATUS_WX86_BREAKPOINT instead of EXCEPTION_BREAKPOINT when debugging 32 bit application on 64 machine?

I am trying to write a simple debugger on Windows to debug 32-bit applications, my machine is 64-bits. I am using C language.

When I add breakpoint ( 0xCC ) at the specified address, I expect to get EXCEPTION_BREAKPOINT value in debugEvent.u.Exception.ExceptionRecord.ExceptionCode

However I get STATUS_WX86_BREAKPOINT(0x4000001F) instead. MSDN website define it as "An exception status code that is used by the Win32 x86 emulation subsystem." . Without any further explanation for this behavior.

Can I handle this exception the same way as EXCEPTION_BREAKPOINT ? So the code will be as

switch(debugEvent.u.Exception.ExceptionRecord.ExceptionCode)
   case EXCEPTION_BREAKPOINT:
   case STATUS_WX86_BREAKPOINT:
      HandleBreakPoint();
   break;
                also add about debugger (32/64 bit) difference. STATUS_WX86_BREAKPOINT got only 64bit debugger, and based on this can say that you run 64bit code
– RbMm
                Aug 19, 2018 at 19:14
                For those coming from googling STATUS_WX86_BREAKPOINT = 0x4000001f: the relevant MSDN docs are MS-ERREF: 2.3.1 NTSTATUS Values and Using NTSTATUS Values. They say: “The NTSTATUS type is defined in Ntdef.h, and system-supplied status codes are defined in Ntstatus.h.” For me, #include "Ntstatus.h" makes STATUS_WX86_BREAKPOINT available.
– Lumen
                Mar 15, 2022 at 10:44
When breakpoint (int 3) exception was from code executed in WOW64 mode (32 bit code in 64 bit Windows) 64-bit debugger really got STATUS_WX86_BREAKPOINT. When breakpoint from 64-bit code - STATUS_BREAKPOINT . Also on single step exception 64-bit debugger got STATUS_SINGLE_STEP if this exception from 64-bit code and STATUS_WX86_SINGLE_STEP if exception from WOW64 code.
  
Can I handle this exception the same way as EXCEPTION_BREAKPOINT ?, so
  the code will be as
Yes, you can. Same is true for STATUS_WX86_SINGLE_STEP - you can handle it in the same way as STATUS_SINGLE_STEP. the WX86_ gives you additional information from which mode (WOW64 or native) was breakpoint. But in both case this is breakpoint exception. And logic how handle it usually common. However this is your choice decide what do and how handle breakpoint, single step or other exception.
Also note that STATUS_WX86_BREAKPOINT and STATUS_WX86_SINGLE_STEP got only 64bit debugger. 32-bit debugger always gets STATUS_BREAKPOINT where 64-bit debugger gets STATUS_WX86_BREAKPOINT and nothing got where x64 debugger got STATUS_BREAKPOINT. The same for single step. For example on WOW64 process startup - 64-bit debugger got 2 breakpoints - first STATUS_BREAKPOINT form 64-bit mode (inside 64-bit ntdll.LdrpDoDebugBreak) and then STATUS_WX86_BREAKPOINT from 32-bit ntdll.LdrpDoDebugBreak. While 32-bit debugger got only second breakpoint (from 32-bit code) with STATUS_BREAKPOINT.
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.