Special Command: Displaying Memory Data Using the d* Command and Its Variations


The d* command and its variations are among the most commonly used commands. In this article I’m covering the most important combinations and showing their output.


The d* command is used to display information from memory, including heap and stack. The information can be presented in different formats.


 


dd


dd is useful to see the memory using double word format. It means 4 bytes or 32 bits. 


The default count is 32 DWORDs (128 bytes).


Example:


 


 


db


db is useful to see the data in byte format.


Tip: When you don’t know the data format, use db. Using db you can see numbers, ASCII characters and Unicode characters. This is the variation I use most of the time.


Example:


 


 


du


This variation is used to display Unicode strings.


Example:


 


 


da


This variation is used to display ASCII strings.


Tip: If da shows you the characters followed by “.”, like:


T.e.s.t


And du shows you the same string, but without “.”, it means it’s a Unicode string, not an ASCII string. So, you may want to use du.


Example:



 


dc


This is also very useful. It displays double word values (4 bytes) and ASCII characters.


Example:


 



 


 


dyb


It displays binary values and byte values.


Tip: This command offers an easy way to see each byte for a double word value and its corresponding bits.


Example:



 


Another command that’s similar to dyb is .formats.


.formats <address>


Example:


 


 


You can also use another variation with the commands above to see a specific number of double words.


Example:


dd <address> L 1





 


db <address> L 100





 


dc <address> L 20



 


Here you can see scripts that use the d* command.


 


 

Comments (5)

  1. Nice post! Indeed, probably the d* commands are the most useful and used commands for every WinDbg user.

    Sometimes, we know we’re looking at a pointer, so we need to use deference to see what it’s pointing to:

    dd 0xababababab L4

    ababababab ebaebaeba 0ba0ba0ba 35353535

    da poi(ababababab+4)

    ebaebaeba "This is a string"

    This can be useful and quicker if we’re dealing with the stack:

    dd @$csp L4

    ababababab ebaebaeba 0ba0ba0ba 35353535

    da poi(@$csp+4) $$ I know what parameter is this

    ebaebaeba "This is a string"

    []s

  2. Reading your comment I’ve noticed I didn’t put any examples, like yours, using poi or dereferencing pointers.

    Thanks for doing that! 🙂