FS_Search
The directory search/bin exists as a sub-directory to the file system root under /misc/search/bin and in each process directory.
The search functionality allows for flexible efficient searching in process virtual memory and/or physical memory.
The files in the search/bin directories are listed in the table below:
| File | Description |
|---|---|
| addr-min.txt | Minimum address to search from. |
| addr-max.txt | Maximum address to search to. |
| align.txt | Byte-alignment of search (1, 2, 4, 8, 16, 0x1000 bytes etc.). |
| ptr32.txt | Search for 32-bit pointer references. See below for additional info. |
| ptr64.txt | Search for 64-bit pointer references. See below for additional info. |
| readme.txt | README file. |
| reset.txt | Write 1 to prepare for new search / abort on-going search / empty previous search. |
| result.txt | Addresses with search matches. |
| search.txt | The search term in hexascii. See below for additional info. |
| search-skip-bitmask.txt | Bitmask applied to each bit of search.txt. 0 = search normally. 1 = wildcard search of the specific bit. |
| status.txt | Status of an ongoing or completed search. |
Files in the search/bin directories are read-write with the exception of readme.txt, result.txt and status.txt.
Before a search is initiated it's possible to set optional constraints, such as min and max address, search alignment and any wildcard characters in the search-skip-bitmask.txt bitmask.
The search is initiated by writing a hexascii term into the file search.txt. Once written the search starts immediately.
It's possible to follow the status of the search by monitoring status.txt. It's also possible to abort/clear a previous search by writing 1 into reset.txt - this will allow for new search.
It's possible to search for pointers by writing to the ptr32.txt or ptr64.txt files. The search is automatically initiated with alignment 4 for 32-bit pointers and alignment 8 for 64-bit pointers.
The search functionality in misc/search will search the entire physical memory space.
The search functionality in each process will search the process virtual memory. In case of a 64-bit address space the search will only be performed on the relevant address space (as shown in the memmap functionality) for performance reasons. To search kernel address space please select the SYSTEM (PID 4) process or one of the CSRSS.EXE processes. Other processes are usually only searched in the user part of the address space - i.e. 0x0 to 0x7fffffffffff.
The example shows the search for pointer address references to the address 0xffffcf00d217eb40 in virtual address space of the System process. Please note that the byte order is reversed due to how pointers are stored in memory (little endian).
The search/bin sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_search.c in the vmm project.