Search Memory

Search Memory locates sequences of bytes in program memory.  The search is based on a value entered as hex numbers, decimal numbers or strings.  The byte sequence may contain "wildcards" that will match any byte (or possibly nibble). String searching also allows for the use of regular expression searches.

To Search Memory:

1. From the Tool, select Search Memory
2. Enter a Hex String in the Value field
   This will create a Hex Sequence for searching.
3. Choose "Next" to find the next occurrence
                                 - or -
   Choose "Previous" to find the previous occurrence
                                 - or -
   Choose "Search All" to find all occurrences.

Search Formats

• Hex
• String
• Decimal
• Binary
• Regular Expression

Search Options

Search

Search Value

• The value to search.  The values entered will be interpreted based on the Format options.

Hex Sequence

• As the search value is entered, this field will display the exact hex byte sequence that will be searched for in memory.

Format

Hex:

• Value is interpreted as a sequence of hex numbers, separated by spaces.  Wildcard characters can be used to match any single hex digit (i.e. any 4 bit value).  Either the '.' or '?' character can be used for the wildcard character.
• Each hex number (separated by spaces) will produce a sequence of bytes that may be reversed depending on the Byte Order.
• The byte search pattern is formed by concatenating the bytes from each hex number.

Example:

Value:	"1234 567 89ab"
Little Endian Hex Sequence	34 12 67 05 ab 89
Big Endian Hex Sequence	12 34 05 67 89 ab

As a convenience, if a user enters a single wildcard value within the search text, then the search string will be interpreted as if 2 consecutive wildcard characters were entered, meaning to match any byte value.

Similarly, if the search string contains an odd number of characters, then a 0 is prepended to the search string, based on the assumption that a single hex digit implies a leading 0 value.

 

String:

Value is interpreted as the specified character encoding. The center panel of the Search Memory dialog shows the Format Options, described below.

• Encoding - Interprets strings by the specified encoding.  Note that byte ordering determines if the high order byte comes first or last.
• Case Sensitive - Turning off this option will search for the string regardless of case using the specified character encoding. Only applicable for English characters.
• Escape Sequences - Enabling this option allows escape sequences in the search value (i.e., allows \n to be searched for).

Decimal:

Value is interpreted as a sequence of decimal numbers, separated by spaces. The center panel of the Search Memory dialog shows the Decimal Options, described below.

• Only numbers that fit the specified Decimal Options are allowed to be entered.
• The byte search pattern is formed by concatenating the bytes from each  number.
• Valid decimal numbers are:
  • Byte - any fixed point 8 bit number  (-128 to 255)
  • Word - any fixed point 16 bit number (-32768 to 65535)
  • DWord - any fixed point 32 bit number (you get the idea.....)
  • QWord - any fixed point 64 bit number
  • Float - any 32 bit floating point number
  • Double any 64 bit floating point number

Binary:

Value is interpreted as a sequence of binary numbers, separated by spaces.  Wildcard characters ('x' or '?' or '.') can be used to match any bit.

• Only binary digits (0 or 1) or wildcard characters (*?.) are allowed to be entered.
• The byte search pattern is formed by concatenating the bytes from each  number.
• An additional Mask byte which is not shown, is generated for each search byte to handle the wildcards.

Regular Expression:

Value is interpreted as a Java Regular Expression that is matched against memory as if all memory was a string. Help on how to form regular expressions is available on the Regular Expression Help page.

• Regular Expressions can only be used to search forward in memory.
• No Hex Sequence is displayed for regular expressions.

Memory Block Types

• Selects which initialized memory blocks are searched. Ghidra now stores external information from the program's file header in special memory blocks. These blocks do not live in the program's address space, but instead are stored in the "OTHER" address space. Memory blocks which would be found in an actual running version of the program are referred to as "Loaded Memory Blocks."
• • Loaded Blocks - will search only "loaded" memory blocks (memory blocks that would appear in an actual running instance of the program) and not "Other" information memory blocks.
  • All Blocks - will search all memory blocks including "Other" blocks.

 

Selection Scope

• Search All - If this option is selected, the search will search all memory in the tool.
• Search Selection - If this option is selected, the search will be restricted to the current selection in the tool. This option is only enabled if there is a current selection in the tool.

 

Code Unit Scope

Filters the matches based upon the code unit containing a given address.

• Instructions - includes instruction code units in the search.
• Defined Data - includes defined data in the search.
• Undefined Data - includes undefined data in the search.

Byte Order

Sets the byte ordering for multi-byte values.  Has no effect on non-Unicode Ascii values, Binary, or regular expressions.

Little Endian - places low-order bytes first.
For example, the hex number "1234" will generate the bytes "34" , "12".

Big Endian - places high-order bytes first.
For example, the hex number "1234" will generate the bytes "12", "34".

Alignment

• Generally the alignment defaults to 1, but can be set to any number greater than 0. The search results will be limited to those that begin on the specified byte alignment. In other words, an alignment of 1 will get all matching results regardless of the address where each begins. An alignment of 2 will only return matching results that begin on a word aligned address.

 

Searching

• Next / Previous - Finds the next/previous occurrence of the byte pattern from the current cursor location; if you mouse click in the Code Browser to move focus there, you can choose Search Repeat Memory Search to go to the next/previous match found.
• Search All - Finds all occurrences of the byte pattern in a Query Results display.

For very large Programs that may take a while to search, you can cancel the search at any time. For these situations, a progress bar is displayed, along with a Cancel button. Click on the Cancel button to stop the search. 

Dismissing the search dialog automatically cancels the search operation.

 

Highlight Search Option

You can specify that the bytes found in the search be highlighted in the Code Browser by selecting the Highlight Search Results checkbox on the Search Options panel. To view the Search Options, select Edit Tool Options... from the tool menu, then select the Search node in the Options tree in the Options dialog. You can also change the highlight color. Click on the color bar next to Highlight Color to bring up a color chooser. Choose the new color, click on the OK button. Apply your changes by clicking on the OK or Apply button on the Options dialog. 

Highlights are displayed for the last search that you did. For example, if you bring up the Search Program Text dialog and search for text, that string now becomes the new highlight string. Similarly, if you invoke cursor text highlighting, that becomes the new highlight string.

Highlights are dropped when you close the search dialog, or close the query results window for your most recent search.

Search for Matching Instructions

This action works only on a selection of code. It uses the selected instructions to build a combined mask/value bit pattern that is then used to populate the search field in the Memory Search Dialog. This enables searching through memory for a particular ordering of instructions. There are three options available: 

• Include Operands - All bits that make up the instruction and all bits that make up the operands will be included in the search pattern.
• Exclude Operands - All bits that make up the instruction are included in the search pattern but the bits that make up the operands will be masked off to enable wild carding for those bits.
• Include Operands (except constants) - All bits that make up the instruction are included in the search pattern and all bits that make up the operands, except constant operands, which will be masked off to enable wild carding for those bits.

Example:

A user first selects the following lines of code. Then, from the Search menu they choose Search for Matching Instructions and one of the following options:

Option 1:

If the Include Operands action is chosen then the search will find all instances of the following instructions and operands.

All of the bytes that make up the selected code will be searched for exactly, with no wild carding. The bit pattern 10000101 11000000 01010110 01101010 00010100 01011110 which equates to the byte pattern 85 c0 56 6a 14 5e is searched for.

Option 2:

If the Exclude Operands option is chosen then the search will find all instances of the following instructions only.

Only the parts of the byte pattern that make up the instructions will be searched for with the remaining bits used as wildcards. The bit pattern 10000101 11...... 01010... 01101010 ........ 01011... is searched for where the .'s indicate the wild carded values.

Option 3:

If the Include Operands (except constants) option is chosen then the search will find all instances of the instruction and all operands except the 0x14 which is a constant.

The bit pattern 10000101 11000000 01010110 01101010 ........ 01011110 which equates to the byte pattern 85 c0 56 6a xx 5e is searched for where xx can be any number N between 0x0 and 0xff.

The previous operations can only work on a single selected region. If multiple regions are selected, the following error dialog will be shown and the operation will be cancelled.

Provided by: the MemSearchPlugin  

 

Related Topics:

• Searching Program Text
• Query Results
• Regular Expressions