看你用什么调试器呀，在它的帮助文档里找硬件断点相关的部分看看

如果你指的是编程方法，参考这个：

Debug registers (DR0 through DR7) are used to set hardware breakpoints. A protection can manipulate them to either detect that hardware breakpoints have been set (and therefore, that it is being debugged), reset them or set them to particular values used to perform code checks later. A packer such as tElock makes use of the debug registers to prevent reverse-engineers from using them.
From a user-mode perspective, debug registers cannot be set using the privileged 'mov drx, ...' instruction. Other ways exist:

- An exception can be generated, the thread context modified (it contains the CPU registers at the time the exception was thrown), and then resumed to normal execution with the new context.

- The other way is to use the NtGetContextThread and NtSetContextThread syscalls (available in kernel32 with GetThreadContext and SetThreadContext).

Most protectors use the first, "unofficial" way.

Example:
push offset handler
push dword ptr fs:[0]
mov fs:[0],esp
xor eax, eax
div eax ;generate exception
pop fs:[0]
add esp, 4
;continue execution
;...
handler:
mov ecx, [esp+0Ch] ;skip div
add dword ptr [ecx+0B8h], 2 ;skip div
mov dword ptr [ecx+04h], 0 ;clean dr0
mov dword ptr [ecx+08h], 0 ;clean dr1
mov dword ptr [ecx+0Ch], 0 ;clean dr2
mov dword ptr [ecx+10h], 0 ;clean dr3
mov dword ptr [ecx+14h], 0 ;clean dr6
mov dword ptr [ecx+18h], 0 ;clean dr7
xor eax, eax
ret

摘自赛门铁克网站，未测试

自己在SEH里添加

以前写的，应该还能用。

void DataBP( int arg1, char *arg2 )
{
        DWORD dw = 0x1234;
        CONTEXT cxt = { CONTEXT_DEBUG_REGISTERS | CONTEXT_FULL }, cxtOld;
       
        HANDLE h = GetCurrentThread();
       
        //if( IsDebuggerPresent() )
        {
                if( GetThreadContext( h, &cxt ) )
                {
                        cxtOld = cxt;

                        cxt.Dr0 = &dw;
                        cxt.Dr7 = 0x10501;
                        // w1
                        // 00000000 00000001 00000101 00000001
                        // w4
                        // 00000000 00001101 00000101 00000001
                        // rw4
                        // 00000000 00001111 00000101 00000001
                        if( SetThreadContext( h, &cxt ) )
                        {
                                dw = 0x4321;

                                GetThreadContext( h, &cxt );
                                printf( "Break into debug with dr6 = %X, dr7 = %X.\r\n", cxt.Dr6, cxt.Dr7 );

                                // recovery or it won't end.
                                SetThreadContext( h, &cxtOld );
                        }
                }
        }
}

x86/x64包括一组调试寄存器：DR0,DR1,DR2,DR3,DR6和DR7. 这些寄存器在32位模式下为32-bit, 64位模式下为64-bit. 其中DR0,DR1,DR2和DR3包含断点的线性地址, DR7包含的位解释如下：



位 功能
0-7 4个调试寄存器的标志位（每2个位对应一个寄存器）.第一个标志位指定是否是一个本地断点（local breakpoint）(CPU在切换任务时重设该标志位）,第二个标志位指定是否是一个全局断点(global breakpoint).在Windows平台，你只能使用第一个标志位(虽然我没有试过第二个).
16-23
每2个位对应一个寄存器，用来定义断点合适被触发：
00b - 代码执行时触发

01b - 数据写入时触发

10b - 保留

11b - 数据读写时触发

24-31
每2个位对应一个寄存器,定义断点的大小

00b - 1字节

01b - 2字节

10b - 8字节

11b - 4字节

假设dr0里是断点地址，则设dr7=0x30001

在windbg中调试程序，断点直接命中了。由于不是windbg自己设置的，它解释成single step异常

0:000> g
ModLoad: 76200000 7621f000 C:\Windows\system32\IMM32.DLL
ModLoad: 75c10000 75cdc000 C:\Windows\system32\MSCTF.dll
(23b4.880): Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=7ffd5000 ecx=0012f7a4 edx=777b70b4 esi=0012f7c4 edi=0012fe54
eip=00411727 esp=0012f7c4 ebp=0012fe54 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for testC.exe
testC!DataBP+0xd7:
00411727 8bf4 mov esi,esp

但实际上是硬件断点，看看debug register的值，dr6表明硬件断点dr1命中。
0:000> r dr6, dr7
dr6=ffff0ff1 dr7=00010501