WinDbg : .formats
Sometimes we need to quickly check what a memory pattern looks like when displayed in different formats like, hex, decimal, string, date time etc. The .formats command comes in handy at this time.
kd> .formats 0x12345678
Evaluate expression:
Hex: 12345678
Decimal: 305419896
Octal: 02215053170
Binary: 00010010 00110100 01010110 01111000
Chars: .4Vx
Time: Thu Sep 06 04:21:36 1979
Float: low 5.69046e-028 high 0
Double: 1.50897e-315
For out sample input this might not look very useful, but lets assume that we want to run it for a random memory location to see what it is.
For the sake of example lets use what we learnt from the dd command here.
We saw that using dd we can dump the bytes in memory.
kd> db nt
82608000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
82608010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
82608020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
82608030 00 00 00 00 00 00 00 00-00 00 00 00 78 02 00 00 ............x...
82608040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
82608050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
82608060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
82608070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
kd> dd nt
82608000 00905a4d 00000003 00000004 0000ffff
82608010 000000b8 00000000 00000040 00000000
82608020 00000000 00000000 00000000 00000000
82608030 00000000 00000000 00000000 00000278
82608040 0eba1f0e cd09b400 4c01b821 685421cd
82608050 70207369 72676f72 63206d61 6f6e6e61
82608060 65622074 6e757220 206e6920 20534f44
82608070 65646f6d 0a0d0d2e 00000024 00000000
Sometimes we need to quickly check what a memory pattern looks like when displayed in different formats like, hex, decimal, string, date time etc. The .formats command comes in handy at this time.
kd> .formats 0x12345678
Evaluate expression:
Hex: 12345678
Decimal: 305419896
Octal: 02215053170
Binary: 00010010 00110100 01010110 01111000
Chars: .4Vx
Time: Thu Sep 06 04:21:36 1979
Float: low 5.69046e-028 high 0
Double: 1.50897e-315
For out sample input this might not look very useful, but lets assume that we want to run it for a random memory location to see what it is.
For the sake of example lets use what we learnt from the dd command here.
We saw that using dd we can dump the bytes in memory.
kd> db nt
82608000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
82608010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
82608020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
82608030 00 00 00 00 00 00 00 00-00 00 00 00 78 02 00 00 ............x...
82608040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
82608050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
82608060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
82608070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
kd> dd nt
82608000 00905a4d 00000003 00000004 0000ffff
82608010 000000b8 00000000 00000040 00000000
82608020 00000000 00000000 00000000 00000000
82608030 00000000 00000000 00000000 00000278
82608040 0eba1f0e cd09b400 4c01b821 685421cd
82608050 70207369 72676f72 63206d61 6f6e6e61
82608060 65622074 6e757220 206e6920 20534f44
82608070 65646f6d 0a0d0d2e 00000024 00000000
Since we used dd we know that the memory at the location 82608000 is the ASCII character 'M'. But we also see that the same memory dumped as dd is difficult to read. lets use .formats to help us here.
kd> .formats 00905a4d
Evaluate expression:
Hex: 00905a4d
Decimal: 9460301
Octal: 00044055115
Binary: 00000000 10010000 01011010 01001101
Chars: ..ZM
Time: Mon Apr 20 17:21:41 1970
Float: low 1.32567e-038 high 0
Double: 4.67401e-317
This is certainly more readable by a human, and hints that the pattern in question contains the ASCII characters MZ which is the Windows signature in the PE file.
Note: We can also run the formats command on a memory address. The poi command will help us do it.
kd> .formats poi(82608000)
Evaluate expression:
Hex: 00905a4d
Decimal: 9460301
Octal: 00044055115
Binary: 00000000 10010000 01011010 01001101
Chars: ..ZM
Time: Mon Apr 20 17:21:41 1970
Float: low 1.32567e-038 high 0
Double: 4.67401e-317
No comments:
Post a Comment