Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Memory Search
See original GitHub issueI’ve forked DbgShell and started putting together a basic memory search command (which hopefully I will be able to polish into a reasonable pull request before the ADHD decides otherwise for me). I wanted to share some thoughts and get some input.
- I’ve forgone DbgEng’s search granularity option so that I could implement search alignment independent of the search size, to allow things like searching for pointers to nearby addresses:
> Search-DbgMemory 04244c -SearchValueLengthInBytes 3 -SearchResultAlignment 4 -FromAddress 1 | % { $_.Address - 1 } | Read-DbgMemory -LengthInBytes 16
719b1c40 04244c8b 060441f7 b8000000 00000001
719d8df8 04244c13 042444dd c310c483 fe4356e9
71a1e99c 04244c8b 04c231d9 244c8b00 c221d904
On the one hand, awesome!, you’re not going to be doing that in WinDbg… on the other hand, that’s not a very straightforward approach and byte granularity means you’re search for pointers in a 256 byte region or 64kB region, no in between… any thoughts on a better way to do it?
-
I’m taking the search value as a
ulong, which means it caps out at 8 bytes… supporting strings seems easy enough, but I’ve no idea how to tackle 9+ byte non-string patterns. Are there any existing commands I can crib from? -
My ultimate goal is to do something like this:
[Heap 007f0000 segment 52800000 (msvcrt!_crtheap)]
52808dec 04244c8b e808508d fff61480 cc0004c2
[<unknown>]
658d0160 04244c8d 04244489 8b4ceca1 24448965
[srvcli; "C:\Windows\System32\srvcli.dll"]
719b1c40 04244c8b 060441f7 b8000000 00000001
719d8df8 04244c13 042444dd c310c483 fe4356e9
71a1e99c 04244c8b 04c231d9 244c8b00 c221d904
Is there a way I can do grouping without accumulating?
Issue Analytics
- State:
- Created 5 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Now this is looking a lot like what my heart desires 😁
I was wondering how
!PDE.spxmanages to be so much faster thanSearchVirtual2, so I took a look at how they work.ReadVirtual(filtering by virtual region attributes), casts to a pointer-size array, and indexes through that looking for matches.ReadVirtual, searching for matching byte patterns and rejecting matches with inappropriate alignment.Hmmm, so my desire to “play nice” and use SearchVirtual2 led me to wrap it in a second layer of exactly the same weaknesses. Meanwhile, PDE.spx takes exactly the same approach my fuzzy-searching prototype used, and that prototype was both easier & more intuitive to use and more capable than my first
Search-DbgMemoryattempt.Which leads me to conclude that PDE achieves it’s much better search experience because it rightly separates searching into two distinct tasks: aligned power-of-2 byte sized searches, and arbitrary size byte/character array searches. And also that using ReadVirtual to read page sized blocks and search them rather than using SearchVirtual2 is a totally reasonable and well performing approach.
So, my start on round 2: