O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

WinDbg as UNICODE to ASCII Converter

Steps:

1. Open a crash dump or attach WinDbg to a process you can sacrifice.

2. Enter this command: eb rsp <UNICODE STRING> [00 00]

0: kd> eb rsp 42 00 65 00 65 00 74 00 68 00 6F 00 76 00 65 00 6E 00 3A 00
20 00 53 00 79 00 6D 00 70 00 68 00 6F 00 6E 00 69 00 65 00 73 00 20 00 31
00 20 00 61 00 6E 00 64 00 20 00 33 00 00 00

Note: use esp for a 32-bit dump. Last NULL terminators 00 00 are not necessary if the string already has them.

3. Enter this command: du rsp

0: kd> du rsp
fffff880`15925ae8  "Beethoven: Symphonies 1 and 3"

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required