Improved WinDBG opcode searching

Aug 25, 2008
1 min read
Rapid7

Last updated at Wed, 26 Jul 2017 16:18:05 GMT

Goaded by some coworkers about the opcode searching functionality of windbg prompted me to add a new option to jutsu today: searchOpcode

You can search for sets of instructions in conjunction, it will assemble them, providing you the machine code, then search for the instructions in executable memory. Instructions are delimited by pipes. I plan to add some limited wildcard functionality in the near future as well.

0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop ecx
> pop ecx
> ret
[J] Machine Code:
> 59 59 c3
[J] Opcode sequence found at: 0x004012f9

Improved WinDBG opcode searching

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Improved WinDBG opcode searching

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Never miss a blog