Feb 242012
 

-> Please note for demo purpose we are using current thread stack range as address range: poi(@$teb+8) poi(@$teb+4) <-

Search for an ascii string beginning with "Rtl"
s -a poi(@$teb+8) poi(@$teb+4) "Rtl"
//Output
0fd3d906 52 74 6c 47 65 74 50 72-6f 64 75 63 74 49 6e 66 RtlGetProductInf

Search for a unicode string "AgentService"
s -u poi(@$teb+8) poi(@$teb+4) "AgentService"
//Output
0fd3ed7c 0041 0067 0065 006e 0074 0053 0065 0072 A.g.e.n.t.S.e.r.
0fd3edec 0041 0067 0065 006e 0074 0053 0065 0072 A.g.e.n.t.S.e.r.


Display all ascii strings which are at least 8 in length

s -[l8]sa poi(@$teb+8) poi(@$teb+4)
// Output
0fd3d0d4 "mscorlib.pdb"
0fd3d906 "RtlGetProductInfo"


Display all unicode strings which are at least 58 in length

s -[l58]su poi(@$teb+8) poi(@$teb+4)
// Output
0fd3bc08 "謬矐뻬࿓ilC:\Windows\WinSxS\x86_micr"
0fd3bc48 "osoft.vc80.crt_1fc8b3b9a1e18e3b_"
0fd3bc88 "8.0.50727.6195_none_d09154e04427"
0fd3bcc8 "2b9a"

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.