InWindbgPassedS Command to search for string or key bytecode information in the memory
0: 005> S-u 00c00000 l000000 "Hello 20:15 2012/6/620: 15 2012/6/6" 01960d28 4f60 597d 0020 0032 0030 003a 0031 0035 'o} y. 2.0.
View memory01960d28
01960d28 00 00 00 00 00 00 30 00 3A 00 31 00 35 00 20 00 ........ 0. :. 1.5 .. 01960d3a 32 00 30 00 31 00 32 00 2f 00 36 00 2f 00 36 00 32 00 2.0.1.2. /. 6. /. 6.2.01960d4c 30 00 3A 00 31 00 35 00 20 00 32 00 30 00 31 00 32 00 0. :. 1.5 .. 2.0.1.2.01960d5e 2f 00 36 00 2f 00 36 00 00 00 00 00 00 00 00 00 00 00 /. 6. /. 6 ...........
After finding the content, useBaSetting access breakpoint will interrupt when any function accesses this memory
0: 005> BA R4 01960d28 0: 005> BL 0 du 0001 (0001) (@ MASM ('itemoperation. CPP: 60 + ') 1 e 01960d28 R 4 0001 (0001) 0: ***** 2 e 771c3540 0001 (0001) 0: ***** NTDLL! Dbgbreakpoint
InProgramAccessing this address will interrupt the debugger.
0: 005> gbreakpoint 1 hiteax = 019607d0 EBX = 00000023 ECx = 00000003 edX = 0000002c ESI = 019607d0 EDI = Limit = 76d29c9c ESP = 000fefa4 EBP = 000fefa8 iopl = 0 NV up ei nz na PE NCCS = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000206 msvcrt! _ Vec_memcpy + 0x125: 76d29c9c 660f7f4760 movdqa xmmword PTR [EDI + 60 h], xmm0 DS: 0023: 01960d30 = 003100300032002000350031003a0030
Of course, you can also find other content as needed to set the corresponding access breakpoint.