Partilhar via


WinDbg: search for a string

Just thought of sharing this..

 To search for a string (“Error: 1002”) in memory, we run the following command:

 0:000> s -a 0 L?80000000 "Error: 1002"

04b0e06c  45 72 72 6f 72 3a 20 31-30 30 32 00 00 00 00 00  Error: 1002.....

Another example to search for address 04b0e06c in memory is:

0:000>s -d 0 L?80000000 04b0e06c

Here ‘d’ stands for DWORD. We can use 'a' for ASCII string as shown below:

So the command syntax stands as: s –[flag] <Start Address> L<Length to search> <the search value or string>

Example: 0:069> s -d 0 l?0x80000000 1b503e94

This means search for DWORD address 1b503e94 from 0 to HEX 80000000. This means search the whole user mode address space for a 32 bit application (Not large address space aware).

Please note that ?80000000 and ?0x80000000 would mean the same range. Both represent a HEX number. To represent a decimal number we would type ?0n<number>

Example:

0:000> ?10 ===============================> This is HEX 10.

Evaluate expression: 16 = 00000010

0:000> ?0n10 =============================> This is DECIMAL 10.

Evaluate expression: 10 = 0000000a

0:000> ?0x10 =============================> This is HEX 10.

Evaluate expression: 16 = 00000010

Reference:

The following table shows the default memory range for each partition.

Memory Range

Usage

Low 2GB range (0x00000000 through 0x7fffffff)

Used by the process

High 2GB range (0x80000000 through 0xffffffff)

Used by the system

By Shamik Misra

Comments

  • Anonymous
    February 05, 2014
    What would be the Memory Range for a x64 plaform? (Process/System)

  • Anonymous
    November 11, 2014
    For 64 bit partial solution could be as follows; unfortunately it still won't search the whole address space !for_each_module s -[1]a ${@#Base} L?${@#Size}  "your string"