findall

Find all occurrences of a pattern in a memory page.

参数

arg1 The address to start searching from. Notice that the searching will stop when the end of the memory page this address resides in has been reached. This means you cannot search the complete process memory without enumerating the memory pages first. You can use findallmem to search for a pattern in the whole memory.

arg2 The byte pattern to search for. This byte pattern can contain wildcards (?) for example: EB0?90??8D. You can use String Formatting here.

[arg3] The size of the data to search in. Default is the size of the memory region.

结果

$result 设置为出现的次数。

示例

搜索内存页 CIP 中模式驻留的所有匹配项：

findall mem.base(cip), "0FA2 E8 ???????? C3"

在堆栈内存页中搜索 cax 值的所有发生次数：

findall mem.base(csp), "{bswap@cax}"

备注

引用视图的内容可以在脚本中用 ref.addr 表达式函数进行迭代。

i = 0 loop: addr = ref.addr(i) log "reference {d:i} = {p:addr}" i++ cmp i, ref.count() jne loop