Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Just thought of sharing this..
To search for a string (“Error: 1002”) in memory, we run the following command:
0:000> s -a 0 L?80000000 "Error: 1002"
04b0e06c 45 72 72 6f 72 3a 20 31-30 30 32 00 00 00 00 00 Error: 1002.....
Another example to search for address 04b0e06c in memory is:
0:000>s -d 0 L?80000000 04b0e06c
Here ‘d’ stands for DWORD. We can use 'a' for ASCII string as shown below:
So the command syntax stands as: s –[flag] <Start Address> L<Length to search> <the search value or string>
Example: 0:069> s -d 0 l?0x80000000 1b503e94
This means search for DWORD address 1b503e94 from 0 to HEX 80000000. This means search the whole user mode address space for a 32 bit application (Not large address space aware).
Please note that ?80000000 and ?0x80000000 would mean the same range. Both represent a HEX number. To represent a decimal number we would type ?0n<number>
Example:
0:000> ?10 ===============================> This is HEX 10.
Evaluate expression: 16 = 00000010
0:000> ?0n10 =============================> This is DECIMAL 10.
Evaluate expression: 10 = 0000000a
0:000> ?0x10 =============================> This is HEX 10.
Evaluate expression: 16 = 00000010
Reference:
The following table shows the default memory range for each partition.
Memory Range |
Usage |
Low 2GB range (0x00000000 through 0x7fffffff) |
Used by the process |
High 2GB range (0x80000000 through 0xffffffff) |
Used by the system |
By Shamik Misra
Anonymous
February 05, 2014
What would be the Memory Range for a x64 plaform? (Process/System)Anonymous
November 11, 2014
For 64 bit partial solution could be as follows; unfortunately it still won't search the whole address space !for_each_module s -[1]a ${@#Base} L?${@#Size} "your string"