OSR

Windows System Software -- Unique Expertise, Guaranteed Results

You are here: Home / DEBUG / Using WinDbg to hunt for strings

by on

Using WinDbg to hunt for strings

Last reviewed and updated: 10 August 2020

Oftentimes it’s useful to search images for strings, they can provide clues as to where a module came from or what exactly was running on a machine. However, doing this typically requires extracting an image from a memory dump and running a standalone application. If you want to save yourself some time, you can instead do this right from the debugger with s, the search memory command.

Searching for ANSI Strings

To search for ANSI strings, use the following syntax:

s -sa range

For example:

0: kd> s -sa fffff880`0132b000 fffff880`0132c000
fffff880`0132b04d? "!This program cannot be run in D"
fffff880`0132b06d? "OS mode."
fffff880`0132b0c8? "Rich"
fffff880`0132b1f0? ".text"
fffff880`0132b217? "h.rdata"
fffff880`0132b23f? "H.data"
fffff880`0132b268? ".pdata"
fffff880`0132b28f? "HPAGE"
fffff880`0132b2b7? "`INIT"
fffff880`0132b2e0? ".rsrc"
fffff880`0132b307? "B.reloc"

 

Searching for Unicode Strings

To search for Unicode strings, use the following syntax:

s -su range

For example:

0: kd> s -su fffff880`01370100 fffff880`01371100
fffff880`01370132? "WEVT_TEMPLATE"
fffff880`0137014e? "MUI"
ffff880`01370166? "VS_VERSION_INFO"
fffff880`013701c2? "StringFileInfo"
fffff880`013701e6? "000004B0"
fffff880`013701fe? "CompanyName"
fffff880`01370218? "Microsoft Corporation"
fffff880`0137024a? "FileDescription"

Specifying a Minimum Character Requirement

By default, any string that’s over three characters is displayed in the output. You can change this limit by using the l (lower case L) flag as part of the expression. The syntax is a bit strange, but here’s an example that searches ANSI strings that are at least six characters:

0: kd> s -[l6]sa fffff880`0132b000 fffff880`0132c000
fffff880`0132b04d? "!This program cannot be run in D"
fffff880`0132b06d? "OS mode."
fffff880`0132b217? "h.rdata"
fffff880`0132b23f? "H.data"
fffff880`0132b268? ".pdata"
fffff880`0132b307? "B.reloc"

The same syntax also applies to Unicode searches:

 0: kd> s -[l6]su fffff880`01370100 fffff880`01371100
fffff880`01370132? "WEVT_TEMPLATE"
fffff880`01370166? "VS_VERSION_INFO"
fffff880`013701c2? "StringFileInfo"
fffff880`013701e6? "000004B0"
fffff880`013701fe? "CompanyName"
fffff880`01370218? "Microsoft Corporation"
fffff880`0137024a? "FileDescription"
fffff880`0137026c? "Storage Spaces Driver"
fffff880`0137029e? "FileVersion"