Search sequence of bytes only in heap blocks

Question

I'm looking for a WinDbg tool / script which can help me search sequence of bytes in only Heap blocks.

For 32 Bit process I can use following command to search bytes by searching through entire user mode process space, but for 64 bit process it takes a lot of time

 s 0 L?0x7fffffff 41 42 43 44 45 46

Answer 1

I think you're looking for the C++ heaps. There we have the !heap command which can help figuring out which heap addresses there are. With another !heap <address> it's possible to get the length of that heap. This information can then be fed into s to limit the address range.

While it might be possible with WinDbg scripts and .foreach or similar, writing WinDbg scripts is not really fun and they break easily, so let's start with a real programing language.

With this information given, let's start a PyKd script which can search through those heaps. Because I'm still not too familiar with PyKd, I'll mostly use dbgCommand() and I'll use the Python part for parsing the results so that I don't have to rely on a word by word identical output.

Unfortunately my PyKd setup got broken during while writing this answer. Here's what I had before it now crashes my WinDbg. Note that this is incomplete because it does not take the search bytes as arguments yet. Add them where XXX is.

from pykd import *

heap = dbgCommand("!heap").split('\n')
for ntheap in heap:
    if "NT Heap" in ntheap:
        address = ntheap[0:ntheap.index("NT Heap")-1]
        heapdetails = dbgCommand("!heap "+address.strip()).split('\n')
        for detail in heapdetails:
            if "Segment at" in detail:
                end = detail[detail.index(" to ")+4:detail.index(" (")-1]
                length = hex(int(end,16)-int(address,16))
                results = dbgCommand("s "+address+" L?"+length+" XXX")
                print(results)