แก้ไข

แชร์ผ่าน


s (Search Memory)

The s command searches through memory to find a specific byte pattern.

Do not confuse this command with the ~s (Change Current Processor), ~s (Set Current Thread), |s (Set Current Process), or ||s (Set Current System) commands.

s [-[[Flags]Type]] Range Pattern 
s -[[Flags]]v Range Object 
s -[[Flags]]sa Range 
s -[[Flags]]su Range 

Parameters

[ Flags]
Specifies one or more search options. Each flag is a single letter. You must enclose the flags in a single set of brackets ([]). You cannot add spaces between the brackets, except between n or l and its argument. For example, if you want to specify the s and w options, use the command s -[sw]Type Range Pattern.

You can specify one or more of the following flags:

s
Saves all of the results of the current search. You can use these results to repeat the search later.

r
Restricts the current search to the results from the last saved search. You cannot use the s and r flags in the same command. When you use r, the value of Range is ignored, and the debugger searches only those hits that were saved by the previous s command.

n Hits
Specifies the number of hits to save when you use the s flag. The default value is 1024 hits. If you use n together with other flags, n must be the last flag, followed by its Hits argument. The space between n and Hits is optional, but you cannot add any other spaces within the brackets. If any later search that uses the s flag discovers more than the specified number of hits, the Overflow error message is displayed to notify you that not all hits are being saved.

l Length
Causes a search for arbitrary ASCII or Unicode strings to return only strings that are at least Length characters long. The default length is 3. This value affects only searches that use the -sa or -su flags.

w
Searches only writeable memory regions. You must enclose the "w" in brackets.

1
Displays only the addresses of search matches in the search output. This option is useful if you are using the .foreach token to pipe the command output into another command's input.

Type
Specifies the memory type to search for. Add a hyphen (-) in front of Type . You can use one of the following Type values.

Type Description

b

Byte (8 bits)

w

WORD (16 bits)

d

DWORD (32 bits)

q

QWORD (64 bits)

a

ASCII string (not necessarily a null-terminated string)

u

Unicode string (not necessarily a null-terminated string)

If you omit Type, byte values are used. However, if you use Flags, you cannot omit Type.

sa
Searches for any memory that contains printable ASCII strings. Use the l Length flag to specify a minimum length of such strings. The default minimum length is 3 characters.

su
Searches for any memory that contains printable Unicode strings. Use the l Length flag to specify a minimum length of such strings. The default minimum length is 3 characters.

Range
Specifies the memory area to search through. This range cannot be more than 256 MB long unless you use the L? syntax. For more information about this syntax, see Address and Address Range Syntax.

Pattern
Specifies one or more values to search for. By default, these values are byte values. You can specify different types of memory in Type. If you specify a WORD, DWORD, or QWORD value, depending on the other options selected, you may need to enclose the search pattern in single quotation marks (for example, 'H').

0:000> s -d @rsp L1000000 'H'  
0000003f`ff07ec00  00000048 00000000 500c0163 00000000  H.......c..P....
0000003f`ff07ec50  00000048 00000000 00000080 00000000  H...............
0000003f`ff07efc0  00000048 00000000 400c0060 00000000  H.......`..@....

If you specify a string, using the ascii type, enclose it in double quotation marks (for example, "B7").

0:000> s -a @rsp L10000000 "B7"  
0000003f`ff07ef0a  42 37 ff 7f 00 00 90 38-4e c2 6c 01 00 00 7d 26  B7.....8N.l...}&
0000003f`ff0ff322  42 37 ff 7f 00 00 f8 5d-42 37 ff 7f 00 00 20 41  B7.....]B7.... A
0000003f`ff0ff32a  42 37 ff 7f 00 00 20 41-42 37 ff 7f 00 00 98 59  B7.... AB7.....Y

-v
Searches for objects of the same type as the specified Object.

Object
Specifies the address of an object or the address of a pointer to an object. The debugger then searches for objects of the same type as the object that Object specifies.

Environment

Item Description
Modes User mode, kernel mode
Targets Live, crash dump
Platforms All

Additional Information

For more information about memory manipulation and a description of other memory-related commands, see Reading and Writing Memory.

Remarks

If the debugger finds the byte pattern that you specify, the debugger displays the first memory address in the Range memory area where the pattern was found. The debugger displays an excerpt of memory that begins at that location in a format that matches the specified Type memory type. If Type is a or u, the memory contents and the corresponding ASCII or Unicode characters are displayed.

You must specify the Pattern parameter as a series of bytes, unless you specify a different Type value. You can enter byte values as numeric or ASCII characters:

  • Numeric values are interpreted as numbers in the current radix (16, 10, or 8). To change the default radix, use the n (Set Number Base) command. You can override the default radix by specifying the 0x prefix (hexadecimal), the 0n prefix (decimal), the 0t prefix (octal), or the 0y prefix (binary). Note   The default radix behaves differently when you use C++ expressions. For more information about these expressions and the radix, see Evaluating Expressions.

  • You must enclose ASCII characters in single straight quotation marks. You cannot use C-style escape characters (such as '\0' or '\n').

If you specify multiple bytes, you must separate them by spaces.

The s-a and s-u commands search for specified ASCII and Unicode strings, respectively. These strings do not have to be null-terminated.

The s-sa and s-su commands search for unspecified ASCII and Unicode strings. These are useful if you are checking a range of memory to see whether it contains any printable characters. The flags options allow you to specify a minimum length of string to find.

Example: The following command finds ASCII strings that are of length >=3 in the range beginning at 0000000140000000 and ending 400 bytes later.

s-sa 0000000140000000 L400

The following command finds ASCII strings that are of length >=4 in the range beginning at 0000000140000000 and ending 400 bytes later

s -[l4]sa 0000000140000000 L400

The following command does the same thing, but it limits the search to writeable memory regions.

s -[wl4]sa 0000000140000000 L400

The following command does the same thing, but displays only the address of the match, rather than the address and the value.

s -[1wl4]sa 0000000140000000 L400

The s-v command searches for objects of the same data type as the Object object. You can use this command only if the desired object is a C++ class or another object that is associated with virtual function tables (Vtables). The s-v command searches the Range memory area for the addresses of this class's Vtables. If multiple Vtables exist in this class, the search algorithm looks for all of these pointer values, separated by the proper number of bytes. If any matches are found, the debugger returns the base address of the object and full information about this object--similar to the output of the dt (Display Type) command.

Example: Assume the current radix is 16. The following three command all do the same thing: search memory locations 0012FF40 through 0012FF5F for "Hello".

0:000> s 0012ff40 L20 'H' 'e' 'l' 'l' 'o' 
0:000> s 0012ff40 L20 48 65 6c 6c 6f 
0:000> s -a 0012ff40 L20 "Hello" 

These commands locate each appearance of "Hello" and return the address of each such pattern--that is, the address of the letter "H".

The debugger returns only patterns that are completely contained in the search range. Overlapping patterns are found correctly. (In other words, the pattern "QQQ" is found three times in "QQQQQ".)

The following example shows a search that uses the Type parameter. This command searches memory locations 0012FF40 through 0012FF5F for the double-word 'VUTS':

0:000> s -d 0012ff40 L20 'VUTS' 

On little-endian computers, 'VUTS' is the same as the byte pattern 'S' 'T' 'U' 'V'. However, searches for WORDs, DWORDs, and QWORDs return only results that are correctly byte-aligned.