Windbg tips for analyzing potential exploits

Search memory for pointer

The following instruction shows how to search process memory for a specific pointer or memory pattern.  I’ve found this useful for searching memory after a potential stack overflow to see where my code is staged.

0:000> s -d 0x00000000 L?0xffffffff 0xCDCDCDCD
0018ce00 cdcdcdcd 0018ea20 00426de4 0002b110 …. ….mB…..
0018dde0 cdcdcdcd 0018ea20 00426de4 0002b110 …. ….mB…..
0018ee38 cdcdcdcd 0018ea20 00426de4 0002b110 …. ….mB…..
00436010 cdcdcdcd 0018ea20 00426de4 0002b110 …. ….mB…..

Search memory for string

The following instruction shows how to search process memory for a specific string.  Again this is useful for searching memory after a potential overflow to see where a payload is in memory.

0:000> s -a 0x00000000 L?0xffffffff “n00bn00b”
00436c48 6e 30 30 62 6e 30 30 62-90 90 90 90 43 58 41 00 n00bn00b….CXA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s