Revisions to Find a string in the whole RAM

improve formatting

Source Link

edited Jul 1 at 6:28

2.3k
13
41
75

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

doDo this instead and it will run very fast since it only looks at memory that is there

!address -f:MEM_COMMIT -c:"s -u %1 %2 "find my text""

!address -f:MEM_COMMIT -c:"s -a %1 %2 "find my text""

!address -f:MEM_COMMIT -c:"s -u %1 %2 \"find my text\""

!address -f:MEM_COMMIT -c:"s -a %1 %2 \"find my text\""

theThe first command finds unicode strings, the second ascii.

%1%1 is the start of the block, %2%2 is the end of the block.

-f:MEM_COMMIT-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image-f:image or -f:stack-f:stack.

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

do this instead and it will run very fast since it only looks at memory that is there

!address -f:MEM_COMMIT -c:"s -u %1 %2 "find my text""

!address -f:MEM_COMMIT -c:"s -a %1 %2 "find my text""

the first command finds unicode strings, the second ascii

%1 is the start of the block, %2 is the end of the block.

-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image or -f:stack

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

Do this instead and it will run very fast since it only looks at memory that is there:

!address -f:MEM_COMMIT -c:"s -u %1 %2 \"find my text\""

!address -f:MEM_COMMIT -c:"s -a %1 %2 \"find my text\""

The first command finds unicode strings, the second ascii.

%1 is the start of the block, %2 is the end of the block.

-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image or -f:stack.

added 2 characters in body

Source Link

edited Jul 1 at 5:45

NemoX

1
2

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

do this instead and it will run very fast since it only looks at memory that is there

!address -f:MEM_COMMIT -c:"s -u %1 %2 "find my text""

!address -f:MEM_COMMIT -c:"s -a %1 %2 "find my text""

the first command finds unicode strings, the second ascii

%1 is the start of the block, %2 is the end of the block.

-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image or -f:stack

Source Link

created Jul 1 at 5:45

NemoX

1
2

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

do this instead and it will run very fast since it only looks at memory that is there

!address -f:MEM_COMMIT -c:"s -u %1 %2 "find my text"" !address -f:MEM_COMMIT -c:"s -a %1 %2 "find my text""

the first command finds unicode strings, the second ascii

%1 is the start of the block, %2 is the end of the block.

-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image or -f:stack

Stack Exchange Network

Return to Answer