s command don't work

ys

Hi dear all,
according to the windbg document , a virtual address is interpreted in a process context (use the process's paging table) , so , if there is not a process context (for example , in debugging winload , which has no concept of process) , s command will not work ,

kd> db 0000000000844000 l2 0000000000844000 4d 5a MZ
kd> s 00000000`00844000 l2 4d 5a

s command return nothing

so , is there any alternative for s command in this situation ?
and why db command works ? it seems interpreting of virtual address in a db command do not use process context.
many thanks!!!

Peter_Viscarola_(OSR)

@ys: I saw your post caught in the spam filter. Check out this post... no need for you to repost multiple times.

Peter

ETA: I've marked your account to indicate that posts from you should never be considered spam in the future.

raj_r

search and display byte both should not work differently

windbg has broken because of sxe ibp here

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
NULL value in PsActiveProcess List
kd> ? nt
Evaluate expression: -2105483264 = 8280e000
kd> db nt l2
8280e000 4d 5a MZ
kd> s nt l2 5a
8280e001 5a 90 00 03 00 00 00 04-00 00 00 ff ff 00 00 b8 Z...............

raj_r

@ys it appears there is some bug when using search memory during WinLoad Stage
i just booted a win-x 32 bit vm (15563 rs2) with /bootdebug on and
tried to search and it appears it can search for ascii strings but not
bytes i think you should possibly raise an issue in thier github doc
account

kd> kb
 # ChildEBP RetAddr  Args to Child
00 001a62dc 00746796 00000000 00000000 00000000 winload!BlStatusError+0x62
01 001a6708 0073e69e 00000000 00000000 00000000 winload!OslFatalErrorEx+0x4c9
02 001a6f80 0073e29a 001a6fc8 801c80a0 001a6fe8
winload!OslPrepareTargetPhase0+0x3c2
03 001a6f90 0073e231 0010be48 004831d0 00061d34 winload!OslpMain+0x13
04 001a6fe8 0048320a 0010be48 00061d34 00000000 winload!OslMain+0x101
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 00000000 f000ff53 f000e2c3 f000ff53 f000ff53 0x48320a
06 ffffffff 00000000 00e2c3f0 00ff53f0 00ff53f0 0xf000ff53
kd> r
eax=00000000 ebx=c0000001 ecx=0081c760 edx=00000060 esi=00000001 edi=0000000f
eip=0077f821 esp=001a62d4 ebp=001a62dc iopl=0         nv up di pl nz ac pe nc
cs=0020  ss=0030  ds=0030  es=0030  fs=0060  gs=0060             efl=00000016
winload!BlStatusError+0x62:
0077f821 cc              int     3
kd> dc . l20
0077f821  5d5e5fcc 8b000cc2 ec8b55ff 81f8e483  ._^].....U......
0077f831  0001acec 8b565300 57f18bda 0a75db85  .....SV....W..u.
0077f841  00000db8 0116e9c0 948d0000 00009824  ............$...
0077f851  3e9ae800 c085fffd 0102880f 448d0000  ...>...........D
0077f861  44c71824 00001024 44890080 848b1424  $..D$......D$...
0077f871  00009824 00e88300 83486674 4b7401e8  $.......tfH...tK
0077f881  01e88348 83481f74 3f7401e8 7401e883  H...t.H...t?...t
0077f891  0002b80a c5e9c000 b8000000 c00000bb  ................
kd> s . l50 44 89
kd> s -b 77f821 77f8a1 44 89
kd> s -[l2]sa 77f821 77f8a1
0077f822  "_^]"
0077f836  "SV"
0077f860  "D$"
0077f864  "D$"
0077f86c  "D$"
0077f879  "tfH"
0077f87f  "tKH"
0077f88b  "t?"

it also appears you can search for aligned dwords but not bytes

kd> s -d . l60 0xc00000bb
0077f89d  c00000bb 0000bbe9 d0e86800 448d0080  .........h.....D
kd> s -b . l60 0xc0
kd> s -d . l60 0xc5e9
kd> s -d . l60 0xc5e9????
Syntax error at '????'
kd> s -d . l60 0xc5e9c000
0077f895  c5e9c000 b8000000 c00000bb 0000bbe9  .............