How can I find similar effectsin Windbg

lihaofe lihaofe 0 Reputation points
2024-07-24T12:34:32.7433333+00:00

Recently, I have been learning how to analyze dump files, and when I look at some analysis cases, I always see things like this

QQ_1721824372301

I have tried many times but couldn't find similar content. How does this debugging method work?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,716 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,893 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 10,235 Reputation points
    2024-07-24T16:38:20.3366667+00:00

    Hello

    It sounds like you’re trying to find specific strings or patterns within dump files using WinDbg. This can be quite useful for identifying certain drivers or modules, like the ones you mentioned (e.g., 360AntiHijac, 360AntiHacke, 360elam64.sy).

    To search for referenced text strings in WinDbg, you can use commands like !for_each_module and !for_each_frame to iterate through modules and stack frames, respectively. Here are some steps you can follow:

    Load the Dump File: Open your dump file in WinDbg.

    Search for Strings: Use the s command to search for strings. For example:

    To search for ASCII strings: s -sa 0x0 L?0xffffffff "360Anti"

    To search for Unicode strings: s -su 0x0 L?0xffffffff "360Anti"

    Display Referenced Memory: Use commands like dpa (for ASCII strings) and dpu (for Unicode strings) to display referenced memory.

    Analyze Modules: Use lm to list loaded modules and !for_each_module to iterate through them.

    Check Stack Frames: Use !for_each_frame to iterate through stack frames and look for references.

     

    Here’s a simple example of searching for a specific string in memory:

    s -sa 0x0 L?0xffffffff "360Anti"

    This command searches for the ASCII string “360Anti” in the entire memory range.

     

    For more detailed analysis, you might want to refer to resources like the WinDbg Cheat Sheet on GitHub or other online tutorials that provide tips and tricks for using WinDbg effectively.

    GitHub - repnz/windbg-cheat-sheet: My personal cheat sheet for using WinDbg for kernel debugging

    search - Searching for "All Referenced Text Strings" in WinDBG - Stack Overflow


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.