Very often I need to scan the process memory for a specific pattern.
This can be either a pointer or a string or whatever and I want to find out, which other memory references this pointer or pattern.
Simply type ''s -d 0x00000000 L?0xffffffff
E.g.:
0:000> s -d 0x00000000 L?0xffffffff 30c5bf9c
0012b2b0 30c5bf9c 00000000 00000000 00000000 ...0............
0012b2f8 30c5bf9c 9955d404 0badf00d 3e4d1f74 ...0..U.....t.M>
0012b340 30c5bf9c 3e4d1f70 9955d450 0badf00d ...0p.M>P.U.....
0012b374 30c5bf9c 3e4d1f70 9955d49c 00000001 ...0p.M>..U.....
3e4d1f7c 30c5bf9c 00000000 00000000 00000001 ...0............
3e4d1f90 30c5bf9c 00000000 00000000 00000000 ...0............
3e4d1fd0 30c5bf9c 30c5bf9c 00000000 00000001 ...0...0........
3e4d1fd4 30c5bf9c 00000000 00000001 33522fc0 ...0........./R3
The first column lists the locations that matched the pattern.
For more information refer to windbg online help: s (Search Memory)
Monday, June 25, 2007
Scan the full process memory for a pattern
Subscribe to:
Post Comments (Atom)
Posts
11 Kommentare:
Great blog, Volker!!!
Here are two other things you can do with the 's' command:
Dump all ASCII and Unicode strings.
s -sa 0 0FFFFFFF
s -su 0 0FFFFFFF
Now scans for a pattern and returns just the address of the pattern:
s -[1]a 0 0FFFFFFF "Composition"
Useful to use from loops. ;-)
Thank you for ur great example.
Can you please post an example on how to write data on a certain address.
Thanks in advance
Khaled Mahmoud
Khaledinho@yahoo.com
Hi Khaled,
find the example here...
Cheers,
Volker
Many thanks for your great help.
Field of debugging through WinDbg seems very interesting and powerful.
What I am trying to do is that I have a Windows Application with GUI, and it has a label [For example
Random Number : 7789
The 7789 is stored in a variable inside the application in memory. I want to each the memory address of this variable.
I dont know where to search Heap,Stack.
Initially I displayed all threads using the ~ command
and then searched in the memory address of each thread.
But this way seems to hectic.
Any ideas would be so much appreciated.
You simply need to search through the whole virtual memory space 0x00000000 0xfffffff for 32bit machines. It might be that your value is stored in a CPU register. Then you need to modify it there (refer to the r command).
It seems I could not find the variable I am looking for. Because the search operation leads to so many results and I have changed all of them and nothing occurs.
I am now thinking of a new approach,
this variable I am talking about, every say n seconds is added to one.
100 101 102 103 104 105 106 ...etc.
Is it possible in WinDbg to open the exeutable file and search for an addition command to one [Search for a command that adds a variable to one] and change the value of one to 10 for example.
you could potentially search for the assembler instruction, but I think you will get very many hits.
Don't you have files and symbols?
I am still new to WinDbg and debugging at this level. I dont know what do you mean by symbol file and what they are used for??
Another question, How can I search for this using the assemler instruction ??
please refer to this article from Tess for the basic symbol stuff:
http://blogs.msdn.com/tess/archive/2005/12/05/why-do-i-get-weird-function-names-on-my-stack-a-discussion-on-symbols.aspx
the searching for assembler instruction leads you nowhere I guess - so I'm skipping it ;-)
Cheers,
Volker
OK - just for completness - how would you search for a hex string (address) in 64-bit world?
Post a Comment