Beginning windbg - how to search for a string and return memory location


  • Hi all. First post here. I'm beginning to play around with Windbg to get a feel for its capabilities. I've walked through a couple tutorials and am trying to carry out a simple task of typing a string in notepad.exe, then using windbg to find the memory location of this string. Are these the steps I should be taking?

    1. Manually open notepad.exe and type the string ("hello").
    2. Open windbg and attach to the existing notepad.exe process.
    3. Locate the notepad.exe start and end memory locations using the windbg command:

      lmf m notepad

    (this returned 005f0000 and 00620000 respectively)

    1. Search for the ascii string "hello" using the windbg command:

      s -sa 005f0000 00620000 "hello"

    This is not achieving the expected results, so I think either the last step is incorrect, or I've missed a step (or maybe I'm misinterpreting this entire exercise on a fundamental level). Can anyone give some guidance, and/or direct me to some beginning documentation (other than the documentation at that might help?

    Saturday, July 05, 2014 3:37 PM


All replies