问题
One can dump all the string using the following command !dumpheap -type System.string
How can dump or print only those string which starts or contains a specific "string"
Example. I am only intrested to view the string which contains "/my/app/request"
回答1:
Use sosex instead of sos for this. It has a !strings command which allows you to filter strings using the /m:<filter> option.
回答2:
Use !sosex.strings. See !sosex.help for options to filter strings based on content and/or length.
回答3:
Not sure if !dumpheap supports that. You can always use .logopen to redirect the output to a file and post-process that. For a more elegant (and thus more complicated) solution, you can also use .shell to redirect the command output to a shell process for parsing. Here's an example:
http://blogs.msdn.com/b/baleixo/archive/2008/09/06/using-shell-to-search-text.aspx
You can also see the .shell documentation for more details:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff565339(v=vs.85).aspx
回答4:
If you really want to go without SOSEX, then try
.foreach (string {!dumpheap -short -type System.String}) { .foreach (search {s -u ${string}+c ${string}+c+2*poi(${string}+8) "mySearchTerm"}) { du /c80 ${string}+c }}
It uses
- !dumpheap to get all Strings on .NET heap
- .foreach to iterate over them
- s to search for a substring
- .foreach again to find out if s found something
- some offset calculations to get the first character (+c) of the string and the string length (+8) (multiplied by 2 to get bytes instead of characters). Those need to be adapted in case of 64 bit applications
The /c80 is just for nicer output. You could also use !do ${string} instead of du /c80 ${string}+c if you like the .NET details of the String.
来源:https://stackoverflow.com/questions/12380787/windbg-how-can-i-dump-strings-which-match-a-given-filter