Skip to content

FS_Search

ufrisk edited this page May 12, 2022 · 4 revisions

The search root and per-process directories

The directory search exists as a sub-directory to the file system root under /misc/search and in each process directory.

The search functionality allows for flexible efficient searching in process virtual memory and/or physical memory.

The files in the search directories are listed in the table below:

File Description
addr-min.txt Minimum address to search from.
addr-max.txt Maximum address to search to.
align.txt Byte-alignment of search (1, 2, 4, 8, 16, 0x1000 bytes etc.).
readme.txt README file.
reset.txt Write 1 to prepare for new search / abort on-going search / empty previous search.
result.txt Addresses with search matches.
search.txt The search term in hexascii. Please see below for additional info.
search-skip-bitmask.txt Bitmask applied to each bit of search.txt.
0 = search normally. 1 = wildcard search of the specific bit.
status.txt Status of an ongoing or completed search.

Files in the search directories are read-write with the exception of readme.txt, result.txt and status.txt.

Search

Before a search is initiated it's possible to set optional constraints, such as min and max address, search alignment and any wildcard characters in the search-skip-bitmask.txt bitmask.

The search is initiated by writing a hexascii term into the file search.txt. Once written the search starts immediately.

It's possible to follow the status of the search by monitoring status.txt. It's also possible to abort/clear a previous search by writing 1 into reset.txt - this will allow for new search.

Information

The search functionality in misc/search will search the entire physical memory space.

The search functionality in each process will search the process virtual memory. In case of a 64-bit address space the search will only be performed on the relevant address space (as shown in the memmap functionality) for performance reasons. To search kernel address space please select the SYSTEM (PID 4) process or one of the CSRSS.EXE processes. Other processes are usually only searched in the user part of the address space - i.e. 0x0 to 0x7fffffffffff.

Example

The example shows the search for pointer address references to the address 0xffffcf00d217eb40 in virtual address space of the System process. Please note that the byte order is reversed due to how pointers are stored in memory (little endian).

For Developers

The search sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file m_search.c in the vmm project.

Clone this wiki locally