[vbox-dev] using vbox dbg to view guest memory

Federico Franzoni frz.mlist at gmail.com
Thu May 7 13:59:13 GMT 2015 

Hi,
looking into the source code i found out the corresponding function 
"dbgcCmdWorkerSearchMem" in src/VBox/Debugger/DBGCEmulateCodeView.cpp
the 'range' parameter correspond to the 'pAddress' parameter of this 
function, which is claimed to be "Where to start searching".
I tested the 'sa' command in such a way and it seemed to work as 
expected. See below:

-------------------------------------------------------------------------------------------------------------------------------

VBoxDbg> sa 1 kd

%00000000009df960: 6b 64 19 6d 80 64 19 6d-75 64 19 6d 8b 64 19 6d 
kd.m.d.mud.m.d.m

%0000000000a08a4f: 6b 64 02 8e f0 80 40 32-95 80 8d 5a 0e 75 81 16 
kd.... at 2...Z.u..

....

%00000000011045df: 6b 64 65 66 2e 55 00 84-21 53 6e 6f 77 64 6f 6f 
kdef.U..!Snowdoo

%0000000001112076: 6b 64 6f 6f 72 00 a4 21-5a 69 6e 64 6f 73 2e 41 
kdoor..!Zindos.A


VBoxDbg> sa 1000000 kd

%00000000011045df: 6b 64 65 66 2e 55 00 84-21 53 6e 6f 77 64 6f 6f 
kdef.U..!Snowdoo

%0000000001112076: 6b 64 6f 6f 72 00 a4 21-5a 69 6e 64 6f 73 2e 41 
kdoor..!Zindos.A

...
%0000000001c7436f: 6b 64 18 86 15 c1 09 4c-0d 49 00 1c 90 dc 62 1a 
kd.....L.I....b.

%0000000001ccd585: 6b 64 0f 00 cf 84 60 01-8e 43 92 30 34 6c 3f 10 
kd....`..C.04l?.


VBoxDbg> sa 1cc0000 kd

%0000000001ccd585: 6b 64 0f 00 cf 84 60 01-8e 43 92 30 34 6c 3f 10 
kd....`..C.04l?.

%0000000001cd8c90: 6b 64 1d 48 4e 80 51 62-e5 10 94 73 41 83 01 c0 
kd.HN.Qb...sA...

...

%0000000001eb725b: 6b 64 44 0d 00 01 00 00-00 dd b9 6d e9 3d 01 00 
kdD........m.=..

%0000000001edc4e9: 6b 64 44 00 27 05 8c f0-c4 ed 01 f0 c4 ed 01 28 
kdD.'..........(

----------------------------------------------------------------------------------------------------------------------------

When you will test it on your own, you will notice that the command will 
output a maximum of 25 hits per search.
This is encoded in the wrapper function "dbgcCmdSearchMemType" within 
the same file and, unfortunately, it cannot be changed by any debugger 
parameter.
The only way to do it, is to modify the sources.

Hope this helps,
Regards,
Federico

On 07/05/2015 14:31, Lonnie Cumberland wrote:
> Hello All,
>
> Can someone please tell me if there are any examples or tutorials on 
> using the VirtualBox built-in debugger?  I have read over the 
> information in Chapter 12 of the manual, but it really does not show 
> any specifics related to the address "range" format used in the SA 
> (Search) command to access Guest ram. I need to scan the Guest ram 
> while the VM is active to collect come information. The Host is a 
> Windows 7 (64Bit) and test Guest is also a Windows 7 (64bit).
>
> Any information or experiences using the built-in debugger would be 
> greatly appreciated.
>
> Thanks and have a great day,
> Lonnie
>
> < CONFIDENTIALITY NOTICE > The information contained in this 
> communication is confidential and is intended only for the use of the 
> recipient named above, and may be legally privileged and exempt from 
> disclosure under applicable law.  If the reader of this message is not 
> the intended recipient, please resend to sender and delete the 
> original from your computer system.  You are hereby notified that any 
> dissemination, distribution or copying of this communication is 
> strictly prohibited.  Opinions, conclusions and other information in 
> this message that do not relate to our official business should be 
> understood as neither given nor endorsed.
>
> On Wed, May 6, 2015 at 9:44 AM, Lonnie Cumberland 
> <lonnie at biofuelstechnologyinc.com 
> <mailto:lonnie at biofuelstechnologyinc.com>> wrote:
>
>     Hi Again All,
>
>     I think that I have answered my own question in that I have now
>     been looking through the VBox debugger commands and actually what
>     I wanted to do was to search through the guest memory for a
>     specific string.
>
>     To do this, I have found the
>
>     sa <range> <pattern>   ---- search memory for ASCII string.
>
>     Is there any information, or example, on the format needed for the
>     <range> ?
>
>     Kind Regards and have a great day,
>     Lonnie
>
>     < CONFIDENTIALITY NOTICE > The information contained in this
>     communication is confidential and is intended only for the use of
>     the recipient named above, and may be legally privileged and
>     exempt from disclosure under applicable law.  If the reader of
>     this message is not the intended recipient, please resend to
>     sender and delete the original from your computer system.  You are
>     hereby notified that any dissemination, distribution or copying of
>     this communication is strictly prohibited. Opinions, conclusions
>     and other information in this message that do not relate to our
>     official business should be understood as neither given nor endorsed.
>
>     On Wed, May 6, 2015 at 9:29 AM, Lonnie Cumberland
>     <lonnie at biofuelstechnologyinc.com
>     <mailto:lonnie at biofuelstechnologyinc.com>> wrote:
>
>         Greetings All,
>
>         I am getting a feel for the VirtualBox debugger (dbg) in that
>         I need to be able to look through an active guest memory.
>
>         Can someone please tell me the best approach to looking
>         through a guest memory with dbg?
>
>         Kind Regards and have a great day,
>         Lonnie
>
>         < CONFIDENTIALITY NOTICE > The information contained in this
>         communication is confidential and is intended only for the use
>         of the recipient named above, and may be legally privileged
>         and exempt from disclosure under applicable law.  If the
>         reader of this message is not the intended recipient, please
>         resend to sender and delete the original from your computer
>         system.  You are hereby notified that any dissemination,
>         distribution or copying of this communication is strictly
>         prohibited. Opinions, conclusions and other information in
>         this message that do not relate to our official business
>         should be understood as neither given nor endorsed.
>
>
>
>
>
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> https://www.virtualbox.org/mailman/listinfo/vbox-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20150507/da4799ee/attachment.html>

More information about the vbox-dev mailing list