Monday, June 25, 2007

Scan the full process memory for a pattern

Very often I need to scan the process memory for a specific pattern.
This can be either a pointer or a string or whatever and I want to find out, which other memory references this pointer or pattern.

Simply type ''s -d 0x00000000 L?0xffffffff ' to find a referenced pointer on a x32 architecture.


0:000> s -d 0x00000000 L?0xffffffff 30c5bf9c
0012b2b0 30c5bf9c 00000000 00000000 00000000 ...0............
0012b2f8 30c5bf9c 9955d404 0badf00d 3e4d1f74 ...0..U.....t.M>
0012b340 30c5bf9c 3e4d1f70 9955d450 0badf00d ...0p.M>P.U.....
0012b374 30c5bf9c 3e4d1f70 9955d49c 00000001 ...0p.M>..U.....
3e4d1f7c 30c5bf9c 00000000 00000000 00000001 ...0............
3e4d1f90 30c5bf9c 00000000 00000000 00000000 ...0............
3e4d1fd0 30c5bf9c 30c5bf9c 00000000 00000001 ...0...0........
3e4d1fd4 30c5bf9c 00000000 00000001 33522fc0 ...0........./R3

The first column lists the locations that matched the pattern.

For more information refer to windbg online help: s (Search Memory)


Roberto A. Farah said...

Great blog, Volker!!!
Here are two other things you can do with the 's' command:
Dump all ASCII and Unicode strings.
s -sa 0 0FFFFFFF
s -su 0 0FFFFFFF

Now scans for a pattern and returns just the address of the pattern:
s -[1]a 0 0FFFFFFF "Composition"

Useful to use from loops. ;-)

Anonymous said...

Thank you for ur great example.
Can you please post an example on how to write data on a certain address.

Thanks in advance

Khaled Mahmoud

Volker von Einem said...

Hi Khaled,

find the example here...


Khaled Mahmoud said...

Many thanks for your great help.
Field of debugging through WinDbg seems very interesting and powerful.

What I am trying to do is that I have a Windows Application with GUI, and it has a label [For example

Random Number : 7789

The 7789 is stored in a variable inside the application in memory. I want to each the memory address of this variable.

I dont know where to search Heap,Stack.

Initially I displayed all threads using the ~ command

and then searched in the memory address of each thread.

But this way seems to hectic.

Any ideas would be so much appreciated.

Volker von Einem said...

You simply need to search through the whole virtual memory space 0x00000000 0xfffffff for 32bit machines. It might be that your value is stored in a CPU register. Then you need to modify it there (refer to the r command).

Khaled Mahmoud said...

It seems I could not find the variable I am looking for. Because the search operation leads to so many results and I have changed all of them and nothing occurs.

I am now thinking of a new approach,
this variable I am talking about, every say n seconds is added to one.
100 101 102 103 104 105 106 ...etc.

Is it possible in WinDbg to open the exeutable file and search for an addition command to one [Search for a command that adds a variable to one] and change the value of one to 10 for example.

Volker von Einem said...

you could potentially search for the assembler instruction, but I think you will get very many hits.
Don't you have files and symbols?

Khaled Mahmoud said...

I am still new to WinDbg and debugging at this level. I dont know what do you mean by symbol file and what they are used for??

Khaled Mahmoud said...

Another question, How can I search for this using the assemler instruction ??

Volker von Einem said...

please refer to this article from Tess for the basic symbol stuff:

the searching for assembler instruction leads you nowhere I guess - so I'm skipping it ;-)


Khaled Mahmoud said...

What is the string or hex code I will be searching for that represents add a value to one??

One more question, in ur example, the search is done overall virtual memory. Why not to search only in the memory areas dedicated only to the process under question ??

Jan said...

OK - just for completness - how would you search for a hex string (address) in 64-bit world?

sypha0x said...

If you want to find that random number Khaled Mahmoud this is what you can do below:

1:007> s -w 0 l?ffffffff 0n7789
00000000`0059f61e 1e6d 0e9e 0202 1e6c 0e9e 1202 1e93 0eaa m.....l.........
00000000`006ffd94 1e6d 0202 0e13 0e4c 1e73 0202 0e14 0e4c m.....L.s.....L.
00000000`00702aba 1e6d 4203 0e13 1e73 4203 0e14 1e79 4203 m..B..s..B..y..B
00000000`007a339c 1e6d 0203 1e73 0203 1e79 0203 1e7f 0203 m...s...y.......
00000000`007f2582 1e6d 1e71 0000 0000 0000 0000 0000 0000 m.q.............
00000000`009fef20 1e6d 0000 0000 0000 0000 0000 e401 0400 m...............
00000000`0224f61e 1e6d 0e9e 0202 1e6c 0e9e 1202 1e93 0eaa m.....l.........
00000000`023afd94 1e6d 0202 0e13 0e4c 1e73 0202 0e14 0e4c m.....L.s.....L.
00000000`023b2aba 1e6d 4203 0e13 1e73 4203 0e14 1e79 4203 m..B..s..B..y..B
00000000`0245339c 1e6d 0203 1e73 0203 1e79 0203 1e7f 0203 m...s...y.......
00000000`024a2582 1e6d 1e71 0000 0000 0000 0000 0000 0000 m.q.............
00000000`ffab24fc 1e6d ff8e 1212 3e48 dfe0 4756 33a0 2809 m.....H>..VG.3.(
00000000`ffad6c54 1e6d 6bb4 2202 5800 7801 151d 7780 8001 m..k.".X.x...w..
1:007> .formats 0n7789
Evaluate expression:
Hex: 00000000`00001e6d
Decimal: 7789
Octal: 0000000000000000017155
Binary: 00000000 00000000 00000000 00000000 00000000 00000000 00011110 01101101
Chars: .......m
Time: Wed Dec 31 21:09:49 1969
Float: low 1.09147e-041 high 0
Double: 3.84828e-320
1:007> !address 00000000`0059f61e
ProcessParametrs 00000000003823e0 in range 0000000000380000 0000000000418000
Environment 0000000000381310 in range 0000000000380000 0000000000418000
0000000000480000 : 0000000000480000 - 000000000037f000
Type 00040000 MEM_MAPPED
Protect 00000002 PAGE_READONLY
State 00001000 MEM_COMMIT
Usage RegionUsageIsVAD

RegionUsageIsVAD is the Memory Region it's located. Which the WinDbg help files state:

RegionUsageIsVad = "The "busy" region. This region includes all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification."

For "Jan" QUESTION regarding 64-bit Hex Strings. It doesn't matter it still works the same. The only difference of course is that you're working from a 64-bit memory address but the data is still stored the same either ASCII or UNICODE translation.

Kelly Ryan said...

I am trying to automate this process and do this command through a command line to windbg however when I enter the commandline:
windbg.exe -c "s -a 0x0000000 L?0xffffffff "test 1""

I run into issues with the quotes where it says it cannot specify more than one kind of debugging to start.

I see that this works ok when i type in s -a 0x0000000 L?0xffffffff "test 1" and finds the string easily. I have tried end chars like \" and ^ to try and pass in the quotes with the test 1 string, but nothing has worked. Any recommendations would be great.