Reverse Engineering Asked by Assaf Levy on August 25, 2021
I’m searching for a string, say the old "This program cannot run".
Switching context to e.g. notepad, non invasive, with page translation
1: kd> !process 0 0 notepad.exe
PROCESS ffff9d05d0005080
SessionId: 2 Cid: 0368 Peb: 5c8ae78000 ParentCid: 0890
DirBase: 30305002 ObjectTable: ffffb48e166c1440 HandleCount: 232.
Image: notepad.exe
1: kd> .process /r /p ffff9d05d0005080
And sweeping for strings returns the expected result
1: kd> s -[l16]sa 7ff6e1760000 L100
00007ff6`e176004e "This program cannot be run in DO"
00007ff6`e176006e "S mode.
However pattern search returns with nothing
1: kd> s -a 7ff6e176004e L100 "This program"
Sanity:
00007ff6`e176004e 54 68 69 73 20 70 72 6f-67 72 61 6d 20 63 61 6e This program can
00007ff6`e176005e 6e 6f 74 20 62 65 20 72-75 6e 20 69 6e 20 44 4f not be run in DO
00007ff6`e176006e 53 20 6d 6f 64 65 2e 0d-0d 0a 24 00 00 00 00 00 S mode....$.....
Now if I switch context, but this time with the invasive flag
1: kd> .process /i /r /p ffff9d05d0005080
1: kd> g
And voila
1: kd> s -a 7ff6e176004e L100 "This program"
00007ff6`e176004e 54 68 69 73 20 70 72 6f-67 72 61 6d 20 63 61 6e This program can
Since clearly WinDbg can search & find the string on it’s own, why is invasive needed for it to crop up during pattern search?
Thanks
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP