Memory search, including unknown values

Question

Memory search, including unknown values

In WinDbg, I can do a memory search for bytes with a command s, for example.

s 0012ff40 L?2000 48 65 6c 6c 6f

There is also a way to include unknown bytes in a search sequence, for example.

s 0012ff40 L?2000 48 65 ?? ?? ?? 6c 6f

where ??is the byte with an arbitrary value?

Idea

How about running ((XOR memory 48 65 00 00 00 6c 6f) AND FF FF 00 00 00 FF FF) and compare this to 00 00 00 00 00 00 00? But I do not know how to do this in WinDbg.

+4

windbg

Thomas weller Jan 6 '14 at 13:59

source share

2 answers

, / . , (1200 < X < 2400)

add esp, X
ret

regex 81 c4 .. .. .. 00 c3

add esp,600h
ret

0

Nitro 19 . '17 4:31

Player · Accepted Answer · 2014-01-07T08:13:43+0000

Not sure if the search team supports wild card. But you can use .foreach commandto achieve what you want.

Here is an example that I used to search for a memory pattern such as ff ?? 00

.foreach(hit {s - [1] b 00007ffabc520000 L100 ff}) {db hit L3; s ${hit} +2 L1 00}

, :

. - debugger windbg, . Windbg, Help |

{s -[1]b 00007ffabc520000 L100 ff }

[1] s, .

s ${hit}+2 L1 00

. , , .

db hit L3

, patter, . , !

, . , .

Memory search, including unknown values

More articles: