在大型 MEMORY.DMP 文件中搜索字符串

Question

How can I search a string in a large MEMORY.DMP file generated by Windows BSOD (Windows 8.1 64 bit)?

On 32-bit Windows, the command

s -a 0 ffffffff "my pattern"

seems to work.

But for 64-bit windows,

s -a 0 ffffffff`ffffffff "my pattern"

takes almost infinite time, even though the total size of the MEMORY.DMP is about 400MB only, while a simple grep can find the pattern within seconds.

My goal is to find the virtual address of the string to determine which stack/heap/text area is overwritten by it.

I would finally resort to interpret the file format of MEMORY.DMP by hand if the reference or specification of the file format is available. Any hints?

Answer 1

Currently this is how I do it:

1. !heap -a

Which will provide some output like below:

HEAPEXT: Unable to get address of ntdll!RtlpHeapInvalidBadAddress. Index   Address  Name      Debugging options enabled   1:   1b9be450000 
    Segment at 000001b9be450000 to 000001b9be54f000 (0008b000 bytes committed)   2:   1b9be1f0000 
    Segment at 000001b9be1f0000 to 000001b9be200000 (00001000 bytes committed)   3:   1b9bfe10000 
    Segment at 000001b9bfe10000 to 000001b9bfe1f000 (0000f000 bytes committed)
    Segment at 000001b9c3a40000 to 000001b9c3b3f000 (00005000 bytes committed)   4:   1b9be440000 
    Segment at 000001b9be440000 to 000001b9be44f000 (00007000 bytes committed)

2. Search between the start and end addresses of each segment until you find your data
3. For example: s -a 000001b9be450000 000001b9be54f000 "my pattern"

This may not work in every scenario but for me it allowed me to find the data I was looking for.