Crash Dump Analysis and Debugging Forum

by **VDO** » Sat Oct 14, 2006 4:31 pm

Recently I discovered wonderful WinDbg commands dpu (UNICODE strings) and dpa (ASCII strings). Look at WinDbg help for other d** equivalents like dpp.

I needed to examine raw stack data and check if any pointers on stack were pointing to strings. For example:

Code: Select all: 0:143> !teb TEB at 7ff2b000 ... StackBase: 05e90000 StackLimit: 05e89000 ... ... ... 0:143> dpu 05e89000 05e90000 05e8f58c 00120010 "" ... ... ... 05e8f590 77e7723c "Debugger" 05e8f594 00000000 05e8f598 08dc0154 05e8f59c 01000040 05e8f5a0 05e8f5dc "G:\WINDOWS\system32\faultrep.dll" 05e8f5a4 0633adf0 "" 05e8f5a8 00000000 05e8f5ac 00000001 05e8f5b0 00000012 05e8f5b4 7c8723e0 05e8f5b8 ffffffff 05e8f5bc 00000004 05e8f5c0 69500000 05e8f5c4 00000000 05e8f5c8 00000aac 05e8f5cc 00000002 05e8f5d0 05e8f740 05e8f5d4 0633adfc "drwtsn32 -p %ld -e %ld -g" 05e8f5d8 00000000 ... ... ...

Of course, you can apply these commands to any memory range, not only stack.

by **J_R** » Fri Jan 08, 2010 11:34 pm

I use that a lot to dump strings from thread stacks. It's kind of long though and slow with it's output. You can also use the search command 's' if you know what your looking for, the output is short but searching can take time. One more method is the sysinternals tool called strings.exe. It can find strings based on some parameters in a dump, exe, or other file really really fast.

by **VDO** » Tue Mar 16, 2010 11:14 am

Agree it makes sense to use s command. I'm now thinking about creating a common search file to use in scripts
Thanks,
Dmitry

Crash Dump Analysis and Debugging Forum

Looking for strings in a dump

Looking for strings in a dump

Re: Looking for strings in a dump

Re: Looking for strings in a dump

Who is online