Software Diagnostics Library

Looking for strings in a dump

Recently I discovered wonderful WinDbg commands dpu (UNICODE strings) and dpa (ASCII strings). Look at WinDbg help for other d** equivalents like dpp.

I needed to examine raw stack data and check if any pointers on stack were pointing to strings. For example:

0:143> !teb TEB at 7ff2b000 ... StackBase: 05e90000 StackLimit: 05e89000 ... ... ... 0:143> dpu 05e89000 05e90000 05e8f58c 00120010 "" ... ... ... 05e8f590 77e7723c "Debugger" 05e8f594 00000000 05e8f598 08dc0154 05e8f59c 01000040 05e8f5a0 05e8f5dc "G:\WINDOWS\system32\faultrep.dll" 05e8f5a4 0633adf0 "" 05e8f5a8 00000000 05e8f5ac 00000001 05e8f5b0 00000012 05e8f5b4 7c8723e0 05e8f5b8 ffffffff 05e8f5bc 00000004 05e8f5c0 69500000 05e8f5c4 00000000 05e8f5c8 00000aac 05e8f5cc 00000002 05e8f5d0 05e8f740 05e8f5d4 0633adfc "drwtsn32 -p %ld -e %ld -g" 05e8f5d8 00000000 ... ... ...

Of course, you can apply these commands to any memory range, not only stack.

- Dmitry Vostokov -

This entry was posted on Thursday, October 12th, 2006 at 6:40 am and is filed under Crash Dump Analysis, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Looking for strings in a dump”

Toby Opferman Says:
November 5th, 2006 at 12:01 pm
They finally added the commands I asked for many years ago. I wonder if this was due to my request, well at least I no longer need to copy around my debug extension for this.

You must be logged in to post a comment.

Looking for strings in a dump

One Response to “Looking for strings in a dump”

Leave a Reply