แก้ไข

แชร์ผ่าน


!search

The !search extension searches pages in physical memory for pointer-sized data that matches the specified criteria.

Syntax

!search [-s] [-p] Data [ Delta [ StartPFN [ EndPFN ]]] 
!search -?

Parameters

-s
Causes symbol check errors to be ignored during the search. This is useful if you are getting too many "incorrect symbols for kernel" errors.

-p
Causes the value of Data to be interpreted as a 32-bit value, preventing any sign extension.

Data
Specifies the data to search for. Data must be the size of a pointer on the target system (32 bits or 64 bits). An exact match for the value of Data is always displayed. Other matches are displayed as well, depending on the value of Delta; see the Remarks section below for details.

Delta
Specifies the allowable difference between a value in memory and the value of Data. See the Remarks section below for details.

StartPFN
Specifies the page frame number (PFN) of the beginning of the range to be searched. If this is omitted, the search begins at the lowest physical page.

EndPFN
Specifies the page frame number (PFN) of the end of the range to be searched. If this is omitted, the search ends at the highest physical page.

-?
Displays help for this extension in the Debugger Command window.

DLL

Kdexts.dll

Additional Information

For more ways to display and search physical memory, see Reading and Writing Memory.

Remarks

If StartPFN and EndPFN are specified, these are taken as the page frame numbers of the beginning and end of the range in physical memory to be searched. For an explanation of page frame numbers, see Converting Virtual Addresses to Physical Addresses. If StartPFN and EndPFN are omitted, all physical memory is searched.

All hits are displayed.

The !search extension will search through all memory for in the specified page range and examine each ULONG_PTR-aligned value. Values that satisfy at least one of the following criteria are displayed:

  • The value matches Data exactly.

  • If Delta is 0 or omitted: The value differs from Data by a single bit.

  • If Delta is nonzero: The value differs from Data by at most Delta. In other words, the value lies in the range [Data - Delta, Data + Delta].

  • If Delta is nonzero: The value differs from the lowest number in the range (Data - Delta) by a single bit.

In most cases, Data will specify an address you are interested in, but any ULONG_PTR sized data can be specified.

Because the debugger's search engine structures reside in memory on the target computer, if you search all of memory (or any range containing these structures) you will see matches in the area where the structures themselves are located. If you need to eliminate these matches, do a search for a random value; this will indicate where the debugger's search structures are located.

Here are some examples. The following will search the memory page with PFN 0x237D for values between 0x80001230 and 0x80001238, inclusive:

kd> !search 80001234 4 237d 237d 

The following will search the memory pages ranging from PFN 0x2370 to 0x237F for values that are within one bit of 0x0F100F0F. The exact matches are indicated in bold; the others are off by one bit:

kd> !search 0f100f0f 0 2370 237f
Searching PFNs in range 00002370 - 0000237F for [0F100F0F - 0F100F0F]

Pfn      Offset   Hit      Va       Pte      
- - - - - - - - - - - - - - - - - - -
0000237B 00000368 0F000F0F 01003368 C0004014 
0000237C 00000100 0F100F0F 01004100 C0004014 
0000237D 000003A8 0F100F0F 010053A8 C0004014 
0000237D 000003C8 0F100F8F 010053C8 C0004014 
0000237D 000003E8 0F100F0F 010053E8 C0004014 
0000237D 00000408 0F100F0F 01005408 C0004014 
0000237D 00000428 0F100F8F 01005428 C0004014 
Search done.

The columns in the display are as follows: Pfn is the page frame number (PFN) of the page; Offset is the offset on that page; Hit is the value at that address; Va is the virtual address mapped to this physical address (if this exists and can be determined); Pte is the page table entry (PTE).

To calculate the physical address, shift the PFN left three hexadecimal digits (12 bits) and add the offset. For example, the last line in the table is virtual address 0x0237D000 + 0x428 = 0x0237D428.