How can I find similar effectsin Windbg

Question

Recently, I have been learning how to analyze dump files, and when I look at some analysis cases, I always see things like this

I have tried many times but couldn't find similar content. How does this debugging method work?

Answer 1

Hello

It sounds like you’re trying to find specific strings or patterns within dump files using WinDbg. This can be quite useful for identifying certain drivers or modules, like the ones you mentioned (e.g., 360AntiHijac, 360AntiHacke, 360elam64.sy).

To search for referenced text strings in WinDbg, you can use commands like !for_each_module and !for_each_frame to iterate through modules and stack frames, respectively. Here are some steps you can follow:

Load the Dump File: Open your dump file in WinDbg.

Search for Strings: Use the s command to search for strings. For example:

To search for ASCII strings: s -sa 0x0 L?0xffffffff "360Anti"

To search for Unicode strings: s -su 0x0 L?0xffffffff "360Anti"

Display Referenced Memory: Use commands like dpa (for ASCII strings) and dpu (for Unicode strings) to display referenced memory.

Analyze Modules: Use lm to list loaded modules and !for_each_module to iterate through them.

Check Stack Frames: Use !for_each_frame to iterate through stack frames and look for references.

 

Here’s a simple example of searching for a specific string in memory:

s -sa 0x0 L?0xffffffff "360Anti"

This command searches for the ASCII string “360Anti” in the entire memory range.

 

For more detailed analysis, you might want to refer to resources like the WinDbg Cheat Sheet on GitHub or other online tutorials that provide tips and tricks for using WinDbg effectively.

GitHub - repnz/windbg-cheat-sheet: My personal cheat sheet for using WinDbg for kernel debugging

search - Searching for "All Referenced Text Strings" in WinDBG - Stack Overflow