Debugging – extract Unicode text from dump files

By Character

I have a program that freezes (especially sql developers), and there are some unsaved files in it. I use sysinternal’s process explorer to create a dump file before terminating the process. I Really only lost a few hours of work, but I think it’s a good learning experience to see what I can extract from the dump file. So far, I have downloaded and ran windbg and found mine Text: 

s -u 0x00000000 L?0xffffffff "text I know exists in my file"

From there I got the relevant memory Address, you can view the text in the memory window and most of the files. However, from here I am a bit stuck. I know I can use the du command to dump the text, but what strategy should I use to determine the start and end range This is a 1 gigabit dump so I will never dump 0x00000000 to 0xffffffff because I don’t have a text file that most editors can open. Is there a way to just dump user memory or non-code memory etc.? It is not necessarily perfect anyway. I am satisfied with only opening the dump file in the textpad, but the unicode data is not displayed, only ascii is displayed (maybe because the textpad cannot detect the type, or because it is a 64-bit transfer Storage).

You can also try the strings.exe utility in sysinternals (now MS) And redirect all output (unicode and ascii) to a text file. Then search the text file (or just the eyeball) to find what you are looking for.

I have a program that freezes ( Especially sql developers), there are some unsaved files in it. I use sysinternal’s process explorer to create a dump file before terminating the process. I really only lost a few hours of work, but I think look at me What can be extracted from the dump file is a good learning experience. So far, I have downloaded and ran windbg and found my text:

< pre>s -u 0x00000000 L?0xffffffff “text I know exists in my file”

From there I got the relevant memory address, and I can view the text in the memory window and most of the files. However, from I am a bit stuck here. I know I can use the du command to dump the text, but what strategy should I use to determine the start and end range. This is a 1 giga dump so I will never transfer 0x00000000 Store to 0xffffffff, because I don’t have a text file that most editors can open. Is there a way to just dump user memory or non-code memory, etc.? It is not necessarily perfect anyway. I am satisfied with only opening the dump file in the textpad, but the unicode data is not displayed, only ascii is displayed (maybe because the textpad cannot detect the type, or because it is a 64-bit transfer Storage).

You can also try the strings.exe utility in sysinternals (now MS) and redirect all output (unicode and ascii) To the text file. Then search the text file (or just the eyeball) to find what you are looking for.

, , , , , ,

Leave a Comment

Your email address will not be published.