(gdb) x/s &buf 0x804961c : "51201314" $ ps auwx | grep findtest root 3919 0.0 0.9 14496 7044 pts/0 S+ 14:41 0:00 gdb -n ./findtest root 3923 0.0 0.0 1532 288 pts/0 T 14:41 0:00 /tmp/findtest root 3944 0.0 0.0 3944 736 pts/1 R+ 14:43 0:00 grep findtest $ cat /proc/3923/maps 08048000-08049000 r-xp 00000000 08:01 378873 /tmp/findtest 08049000-0804a000 rw-p 00000000 08:01 378873 /tmp/findtest b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0 b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rw-p b7fce000 00:00 0 b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0 b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso] b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffea000-c0000000 rw-p bffea000 00:00 0 [stack] 就本例而言，至少有三种办法搜索内存。在GDB中调用被调试进程空间中的memmem()函数: (gdb) p/x memmem( 0x08048000, 0x2000, "5120", 4 ) 0x804861c (gdb) p/x memmem( 0x08049000, 0x1000, "5120", 4 ) 0x804961c (gdb) GDB 7.x开始支持find命令: (gdb) find /b /10 0x08048000, 0x0804a000, 0x35, 0x31, 0x32, 0x30 0x804861c 0x804961c 2 patterns found. (gdb) find /b /10 0x08048000, 0x0804a000, 0x31, 0x33, 0x31, 0x34 0x8048500 0x8048620 0x8049500 0x8049620 4 patterns found. 过去的很多年里，我个人一直用define自己实现内存搜索: -------------------------------------------------------------------------- define find1 set $count=0 set $address=$arg0 while (((unsigned int)$count<(unsigned int)$arg3)&&((unsigned int)$address<=(unsigned int)$arg1)) if (*(unsigned char *)$address==(unsigned char)$arg4) set $count=$count+1 x/1bx $address end set $address=$address+$arg2 end end document find1 find1 end define find2 set $count=0 set $address=$arg0 while (((unsigned int)$count<(unsigned int)$arg3)&&((unsigned int)$address<=(unsigned int)$arg1)) if (*(unsigned short int *)$address==(unsigned short int)$arg4) set $count=$count+1 x/1hx $address end set $address=$address+$arg2 end end document find2 find2 end define find4 set $count=0 set $address=$arg0 while (((unsigned int)$count<(unsigned int)$arg3)&&((unsigned int)$address<=(unsigned int)$arg1)) if (*(unsigned int *)$address==(unsigned int)$arg4) set $count=$count+1 x/1wx $address end set $address=$address+$arg2 end end document find4 find4 end define find8 set $count=0 set $address=$arg0 while (((unsigned int)$count<(unsigned int)$arg3)&&((unsigned int)$address<=(unsigned int)$arg1)) if (*(unsigned long long *)$address==(unsigned long long)$arg4) set $count=$count+1 x/1gx $address end set $address=$address+$arg2 end end document find8 find8 end define fill1 set $count=0 set $address=$arg0 while ((unsigned int)$count<(unsigned int)$arg1) set *(unsigned char *)$address=(unsigned char)$arg2 set $address=$address+1 set $count=$count+1 end end document fill1 fill1

end define fill2 set $count=0 set $address=$arg0 while ((unsigned int)$count<(unsigned int)$arg1) set *(unsigned short int *)$address=(unsigned short int)$arg2 set $address=$address+2 set $count=$count+1 end end document fill2 fill2

end define fill4 set $count=0 set $address=$arg0 while ((unsigned int)$count<(unsigned int)$arg1) set *(unsigned int *)$address=(unsigned int)$arg2 set $address=$address+4 set $count=$count+1 end end document fill4 fill4

end define fill8 set $count=0 set $address=$arg0 while ((unsigned int)$count<(unsigned int)$arg1) set *(unsigned long long *)$address=(unsigned long long)$arg2 set $address=$address+8 set $count=$count+1 end end document fill8 fill8

end -------------------------------------------------------------------------- (gdb) help find4 find4 (gdb) help find8 find8 (gdb) find4 0x08048000 0x0804a000 4 10 0x34313331 0x8048500: 0x34313331 0x8048620: 0x34313331 0x8049500: 0x34313331 0x8049620 : 0x34313331 (gdb) find8 0x08048000 0x0804a000 4 10 0x3431333130323135 0x804861c: 0x3431333130323135 0x804961c : 0x3431333130323135