How to search all memory for a unicode string

[Paul Gomes]

I am trying to search through a mini dump file for all occurrances of
a specified unicode string.

If I issue du of a specific address, I see the string.
0:174> du 2c67017c
2c67017c "Set=V1"

I then issue the following memory search command and get these
results:

0:174> s -u 00000000 L?FFFFFFFF "Set=V1"
0020d030 0053 0065 0074 003d 0056 0031 0026 0053 S.e.t.=.V.1.&.S.
054fe040 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0557f058 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
05c1b058 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
05ca2130 0053 0065 0074 003d 0056 0031 0026 0053 S.e.t.=.V.1.&.S.
05d2f030 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
06027114 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
08399168 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
088b500c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0b1e4018 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0b1e4228 0053 0065 0074 003d 0056 0031 0026 0053 S.e.t.=.V.1.&.S.

This search of the entire address space does not find the string at
location "2c67017c" from my original du 2c67017c command.

This makes me believe that I am not searching the entire address
space.

What command should I issue to search the entire address space?

Cheers,
PaulG

[Pavel Lebedinsky]

To search the entire address space (0x0 - 0x80000000, on 32 bit
OS without /3GB switch) you should do

s -u 0 L?40000000 "foo"

Length should be 0x40000000 rather than 0x80000000 because
it's implicitly multiplied by the size of the type you're searching
for - in this case, WCHAR.

That said, L?FFFFFFFF also seems to work for me, even though
it ends up going through the entire address space (0 - 4GB) twice.

I'm not sure how to explain the behavior you're seeing.

[Andre Vachon [MS]]

Can you try
s -u 2c67017c L?100 "Set=V1"
and then
s -u 2c670170 L?100 "Set=V1"
and etc

To see if you can isolate the issue ?

Also I assume you are using 6.3 .17 ?

-Andre

"Paul Gomes" <peg...@yahoo.com> wrote in message
news:9d178031.04062...@posting.google.com...

[Paul Gomes]

I am using windbg.exe version 6.3.0017.0.

I kept decrementing the start addr and all worked as expected.

0:174> s -u 2c67017c L?100 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0:174> s -u 2c670170 L?100 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0:174> s -u 2c670120 L?100 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0:174> s -u 2c67007C L?100 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.
0:174> s -u 2c67007B L?100 "Set=V1"

To restate my problem ... I am looking for a reliable means of searching
all memory for a unicode string.

Does it make a difference that this is a mini-dump and not a full-dump?

Thanks for the help,
PaulG

"Andre Vachon [MS]" <and...@online.microsoft.com> wrote in message news:<ef8bYE0W...@TK2MSFTNGP11.phx.gbl>...

[Paul Gomes]

A more specific example ... the first search does not find the string
while the second search does.
0:174> s -u 2c67006c L?10000000 "Set=V1"
0:174> s -u 2c67007c L?10000000 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.

And another example ... the first search does not find the string
while the second search does.
0:174> s -u 2c67006c L?200 "Set=V1"
0:174> s -u 2c67007c L?200 "Set=V1"
2c67017c 0053 0065 0074 003d 0056 0031 0026 0046 S.e.t.=.V.1.&.F.

"Andre Vachon [MS]" <and...@online.microsoft.com> wrote in message news:<ef8bYE0W...@TK2MSFTNGP11.phx.gbl>...

[Paul Gomes]

Any insight into this?
Cheers,
PaulG

peg...@yahoo.com (Paul Gomes) wrote in message news:<9d178031.04062...@posting.google.com>...