searchMemory function in pykd

Question

I'm trying to understand how to use the searchMemory() function in pykd extension for windbg.

The documentation says the following:

Function searchMemory

searchMemory( (long)arg1, (int)arg2, (list)arg3) -> int :
Search in virtual memory

C++ signature :
unsigned __int64 searchMemory(unsigned __int64,unsigned long,class boost::python::list)

searchMemory( (long)arg1, (int)arg2, (str)arg3) -> int :
Search in virtual memory

C++ signature :
unsigned __int64 searchMemory(unsigned __int64,unsigned long,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)

Does someone know what the arguments are and how should I use this function?

Answer 1

First, note that there are 2 overloads of the same method:

searchMemory( (long)arg1, (int)arg2, (list)arg3) -> int

and

searchMemory( (long)arg1, (int)arg2, (str)arg3) -> int

• arg1 is the start address or offset at which to start the search,
• arg2 is the length or amount of memory to search and
• arg3 is the search term, which can be
  • a string (std::string) or
  • a list (of char)
• the return value is an offset again, certainly the offset of the first occurrence, so to find the next occurrence, you have to search again

I have interpreted all this from the sources in pymemaccess.cpp [Codeplex] and never used it myself yet.

I'm neither very familiar with C++ nor with Python and even worse for the mapping between the two, but IMHO the std::string is a string of bytes and not Unicode characters, so you can put arbitraty bytes in there. It should also be suitable for ASCII search. But you might have to fiddle a bit for UTF-16 / UCS text. The same probably applies for the list of char, because it's not declared as wchar_t.