Searching only writeable memory?

Taed_Wynnell · November 7, 2008, 4:33pm

I was searching for the contents of a buffer in a crash dump file and
this found it just fine:
s -a 80000000 L?80000000 “11/07/08 09:19:”

I then saw that there’s a search option described thus. If that worked,
it seems that it could speed up my search since I know it’s a read/write
buffer.
w Searches only writeable memory regions. You must
enclose the “w” in brackets.

So, I tried a number of different forms, but none worked. I either got
syntax erorrs, or no error but it would return right away. It seems
that this should work:
s -[w]a 80000000 L?80000000 “11/07/08 09:19:”

So, what is the correct format of what I want to do? I tried Googling,
but just found the same sort of descriptions, but no actual working
examples.

(Thanks in advance!)

Ken_Johnson · November 7, 2008, 5:04pm

Hmm? seems like ?w? filtering might be broken for null-terminated string searches (using ?s?):

It works for me for, example, dword searches:

0:001> s -d ntdll l1000 0x0eba1f0e
00000000`774a0040 0eba1f0e cd09b400 4c01b821 685421cd …!..L.!Th
0:001> s -[w]d ntdll l1000 0x0eba1f0e

0:001> !vprot ntdll
BaseAddress: 00000000774a0000
AllocationBase: 00000000774a0000
AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY
RegionSize: 0000000000001000
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 01000000 MEM_IMAGE

0:001> db @$peb
000007fffffde000 00 00 01 08 00 00 00 00-ff ff ff ff ff ff ff ff ................ 000007fffffde010 00 00 18 4a 00 00 00 00-60 c9 5a 77 00 00 00 00 …J….Zw.... 000007fffffde020 a0 20 20 00 00 00 00 00-00 00 00 00 00 00 00 00 . …
000007fffffde030 00 00 20 00 00 00 00 00-60 c3 5a 77 00 00 00 00 .. ......Zw…
000007fffffde040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000007fffffde050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000007fffffde060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000007fffffde070 00 00 00 00 00 00 00 00-f0 c8 5a 77 00 00 00 00 …Zw…
0:001> s -[w]d @$peb l1000 775ac960
000007fffffde018 775ac960 00000000 002020a0 00000000 .Zw… …
0:001> s -d @$peb l1000 775ac960
000007fffffde018 775ac960 00000000 002020a0 00000000 .Zw… …
0:001> !vprot @$peb
BaseAddress: 000007fffffde000
AllocationBase: 000007fffffde000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 0000000000001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE

However, I don?t get any output when requesting ?w? filtering for null-term?d string searches:

0:001> s -a @$peb l1000 “Zw”
000007fffffde01a 5a 77 00 00 00 00 a0 20-20 00 00 00 00 00 00 00 Zw..... ....... 000007fffffde03a 5a 77 00 00 00 00 00 00-00 00 00 00 00 00 00 00 Zw…
000007fffffde07a 5a 77 00 00 00 00 01 00-00 00 00 00 00 00 00 00 Zw.............. 000007fffffde112 5a 77 00 00 00 00 06 00-00 00 00 00 00 00 71 17 Zw…q.
000007fffffde23a 5a 77 00 00 00 00 01 00-00 00 00 00 00 00 00 00 Zw.............. 000007fffffde33a 5a 77 00 00 00 00 03 00-00 00 00 00 00 00 00 00 Zw…
0:001> s -[w]a @$peb l1000 “Zw”

Copying the windbg feedback alias as it looks broken to me. Can you hack it in your case by searching for a 32-bit or 64-bit quantity?

- S

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Friday, November 07, 2008 4:33 PM
To: Kernel Debugging Interest List
Subject: [windbg] Searching only writeable memory?

I was searching for the contents of a buffer in a crash dump file and this found it just fine:
s -a 80000000 L?80000000 “11/07/08 09:19:”

I then saw that there’s a search option described thus. If that worked, it seems that it could speed up my search since I know it’s a read/write buffer.

w Searches only writeable memory regions. You must enclose the “w” in brackets.

So, I tried a number of different forms, but none worked. I either got syntax erorrs, or no error but it would return right away. It seems that this should work:

s -[w]a 80000000 L?80000000 “11/07/08 09:19:”

So, what is the correct format of what I want to do? I tried Googling, but just found the same sort of descriptions, but no actual working examples.

(Thanks in advance!)

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

raj_r · November 9, 2008, 8:41am

On 11/8/08, Skywing wrote:
>
>
>
> Hmm? seems like “w” filtering might be broken for null-terminated string
> searches (using “s”):
>

it seems to be working for me

0:000> s -[w]a 0 l?7fffffff “win”;.foreach (place {s -[1w]a 0
l?7fffffff “win”}) {!vprot place};s -[w]u 0 l?7fffffff “win”; ;s
-[1w]u 0 l?7fffffff “win”;.foreach (place {s -[1w]u 0 l?7fffffff
“win”}) {!vprot place};version
00091f14 77 69 6e 64 62 67 2e 65-78 65 22 00 ab ab ab ab windbg.exe"…
BaseAddress: 00091000
AllocationBase: 00090000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00002000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
00010372 0077 0069 006e 0065 0078 0074 005c 0061 w.i.n.e.x.t..a.
00010ad8 0077 0069 006e 0064 0069 0072 003d 0043 w.i.n.d.i.r.=.C.
000205ca 0077 0069 006e 0065 0078 0074 005c 0061 w.i.n.e.x.t..a.
00020806 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
00020884 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
00020902 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
0x00010372
0x00010ad8
0x000205ca
0x00020806
0x00020884
0x00020902
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Debug session time: Sun Nov 9 18:58:53.968 2008 (GMT+5)
System Uptime: 0 days 1:38:19.561
Process Uptime: 0 days 0:17:50.031
Kernel time: 0 days 0:00:00.015
User time: 0 days 0:00:00.015
Live user mode:

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

command line: '“C:\Program Files\Debugging Tools for Windows
(x86)\windbg.exe” ’ Debugger Process 0x1E0
dbgeng: image 6.9.0003.113, built Fri Mar 21 06:59:34 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.9.0003.113, built Fri Mar 21 06:58:43 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
DIA version: 21024

the output loos same like older version

0:000> s -[w]a 0 l?7fffffff “win”;.foreach (place {s -[1w]a 0
l?7fffffff “win”}) {!vprot place};s -[w]u 0 l?7fffffff “win”; ;s
-[1w]u 0 l?7fffffff “win”;.foreach (place {s -[1w]u 0 l?7fffffff
“win”}) {!vprot place};version
00081ee6 77 69 6e 64 5c 77 69 6e-64 62 67 2e 65 78 65 00 wind\windbg.exe.
00081eeb 77 69 6e 64 62 67 2e 65-78 65 00 ab ab ab ab ab windbg.exe…
BaseAddress: 00081000
AllocationBase: 00080000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00002000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00081000
AllocationBase: 00080000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00002000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
00010318 0077 0069 006e 0064 005c 0077 0069 006e w.i.n.d..w.i.n.
00010322 0077 0069 006e 0065 0078 0074 005c 0061 w.i.n.e.x.t..a.
00010a2e 0077 0069 006e 0064 0000 0077 0069 006e w.i.n.d…w.i.n.
00010a38 0077 0069 006e 0064 0069 0072 003d 0043 w.i.n.d.i.r.=.C.
0002029c 0077 0069 006e 0064 005c 0000 0000 0000 w.i.n.d..…
000204a4 0077 0069 006e 0064 003b 0043 003a 005c w.i.n.d.;.C.:..
00020520 0077 0069 006e 0064 005c 0077 0069 006e w.i.n.d..w.i.n.
0002052a 0077 0069 006e 0065 0078 0074 005c 0061 w.i.n.e.x.t..a.
0002070c 0077 0069 006e 0064 005c 0077 0069 006e w.i.n.d..w.i.n.
00020716 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
00020738 0077 0069 006e 0064 005c 0077 0069 006e w.i.n.d..w.i.n.
00020742 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
00020764 0077 0069 006e 0064 005c 0077 0069 006e w.i.n.d..w.i.n.
0002076e 0077 0069 006e 0064 0062 0067 002e 0065 w.i.n.d.b.g…e.
0018244c 0077 0069 006e 0064 005c 0064 0062 0067 w.i.n.d..d.b.g.
001824fc 0077 0069 006e 0064 005c 0064 0062 0067 w.i.n.d..d.b.g.
0x00010318
0x00010322
0x00010a2e
0x00010a38
0x0002029c
0x000204a4
0x00020520
0x0002052a
0x0002070c
0x00020716
0x00020738
0x00020742
0x00020764
0x0002076e
0x0018244c
0x001824fc
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00020000
AllocationBase: 00020000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00182000
AllocationBase: 00180000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00004000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00182000
AllocationBase: 00180000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00004000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Debug session time: Sun Nov 9 18:57:54.078 2008 (GMT+5)
System Uptime: 0 days 1:37:19.663
Process Uptime: 0 days 0:16:02.734
Kernel time: 0 days 0:00:00.046
User time: 0 days 0:00:00.031
Live user mode:
command line: '“E:\oldwind\windbg.exe” ’ Debugger Process 0x5C8
dbgeng: image 6.4.0007.2, built Sat Jan 15 03:06:58 2005
[path: E:\oldwind\dbgeng.dll]
dbghelp: image 6.4.0007.1, built Thu Jan 13 00:53:59 2005
[path: E:\oldwind\dbghelp.dll]
DIA version: 40416
Extension DLL search Path:

0:000> s -[w]d 0 l?7fffffff 70 ;.foreach (place {s -[1w]d 0
l?7fffffff 70}) {!vprot place}
000107c8 00000070 004d0054 003d0050 003a0043 p…T.M.P.=.C.:.
00010818 00000070 00470055 00490049 0042005f p…U.G.I.I._.B.
7ffde068 00000070 00000000 079b8000 ffffe86d p…m…
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 00010000
AllocationBase: 00010000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
BaseAddress: 7ffde000
AllocationBase: 7ffde000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE

regards

raj

On 11/8/08, Skywing wrote:
>
>
>
> Hmm? seems like “w” filtering might be broken for null-terminated string
> searches (using “s”):
>
>
>
> It works for me for, example, dword searches:
>
>
>
> 0:001> s -d ntdll l1000 0x0eba1f0e
>
> 00000000774a0040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th > > 0:001> s -[w]d ntdll l1000 0x0eba1f0e > > > > 0:001> !vprot ntdll > > BaseAddress: 00000000774a0000 > > AllocationBase: 00000000774a0000 > > AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY > > RegionSize: 0000000000001000 > > State: 00001000 MEM_COMMIT > > Protect: 00000002 PAGE_READONLY > > Type: 01000000 MEM_IMAGE > > > > 0:001> db @$peb > > 000007fffffde000 00 00 01 08 00 00 00 00-ff ff ff ff ff ff ff ff
> …
>
> 000007fffffde010 00 00 18 4a 00 00 00 00-60 c9 5a 77 00 00 00 00 > ...J.....Zw…
>
> 000007fffffde020 a0 20 20 00 00 00 00 00-00 00 00 00 00 00 00 00 . > ............. > > 000007fffffde030 00 00 20 00 00 00 00 00-60 c3 5a 77 00 00 00 00 …
> ….Zw.... > > 000007fffffde040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
> …
>
> 000007fffffde050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 > ................ > > 000007fffffde060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
> …
>
> 000007fffffde070 00 00 00 00 00 00 00 00-f0 c8 5a 77 00 00 00 00 > ..........Zw.... > > 0:001> s -[w]d @$peb l1000 775ac960 > > 000007fffffde018 775ac960 00000000 002020a0 00000000 .Zw..... ..... > > 0:001> s -[]d @$peb l1000 775ac960 > > 000007fffffde018 775ac960 00000000 002020a0 00000000 .Zw..... ..... > > 0:001> !vprot @$peb > > BaseAddress: 000007fffffde000 > > AllocationBase: 000007fffffde000 > > AllocationProtect: 00000004 PAGE_READWRITE > > RegionSize: 0000000000001000 > > State: 00001000 MEM_COMMIT > > Protect: 00000004 PAGE_READWRITE > > Type: 00020000 MEM_PRIVATE > > > > However, I don't get any output when requesting "w" filtering for > null-term'd string searches: > > > > 0:001> s -[]a @$peb l1000 "Zw" > > 000007fffffde01a 5a 77 00 00 00 00 a0 20-20 00 00 00 00 00 00 00 Zw…
> …
>
> 000007fffffde03a 5a 77 00 00 00 00 00 00-00 00 00 00 00 00 00 00 > Zw.............. > > 000007fffffde07a 5a 77 00 00 00 00 01 00-00 00 00 00 00 00 00 00
> Zw…
>
> 000007fffffde112 5a 77 00 00 00 00 06 00-00 00 00 00 00 00 71 17 > Zw............q. > > 000007fffffde23a 5a 77 00 00 00 00 01 00-00 00 00 00 00 00 00 00
> Zw…
>
> 000007ff`fffde33a 5a 77 00 00 00 00 03 00-00 00 00 00 00 00 00 00
> Zw…
>
> 0:001> s -[w]a @$peb l1000 “Zw”
>
>
>
> > ?[w]d">
>
>
>
> Copying the windbg feedback alias as it looks broken to me. Can you hack it
> in your case by searching for a 32-bit or 64-bit quantity?
>
>
>
> - S
>
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Taed Wynnell
> Sent: Friday, November 07, 2008 4:33 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Searching only writeable memory?
>
>
>
>
> I was searching for the contents of a buffer in a crash dump file and this
> found it just fine:
> s -a 80000000 L?80000000 “11/07/08 09:19:”
>
> I then saw that there’s a search option described thus. If that worked, it
> seems that it could speed up my search since I know it’s a read/write
> buffer.
>
> w Searches only writeable memory regions. You must enclose the
> “w” in brackets.
>
> So, I tried a number of different forms, but none worked. I either got
> syntax erorrs, or no error but it would return right away. It seems that
> this should work:
>
> s -[w]a 80000000 L?80000000 “11/07/08 09:19:”
>
> So, what is the correct format of what I want to do? I tried Googling, but
> just found the same sort of descriptions, but no actual working examples.
>
> (Thanks in advance!)
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com