Sometimes you need to look for patterns of disassembled code. You can browse the disassembled code and manually look for a specific pattern, or you can use a command to automate it.  The # command does that.

 

# [Pattern] [Address [L Size ]]

 

Parameters:

 

Pattern - Specifies the pattern to search for in the disassembly code. If you have previously used the # command and you omit Pattern, the command reuses the most recently used pattern.

Address - Specifies the address where the search begins.

Size - Specifies the number of instructions to search. If you omit Size, the search continues until the first match occurs.

 

To demonstrate this command, let’s use this simple Visual C++ application that recursively calculates the Fibonacci from a specific number:

 

#include "stdafx.h"

 

using namespace std;

 

// Recursive function.

unsigned FiboRecursive(unsigned n, int nNum = 0)

{       

          if(n <= 1)

          {

                    return n;

          }

                   

          return FiboRecursive(n - 1, 1) + FiboRecursive(n - 2, 2);

}

 

int _tmain(int argc, _TCHAR* argv[])

{

          cout << FiboRecursive(5) << endl;

 

          return 0;

}

 

Let’s break the execution when the only line from main() is being executed, using a breakpoint for that.

 

Now let’s disassemble the eip register.

 

0:000> uf @eip

Fibo!wmain [c:\development\my tools\book\fibo\fibo\fibo.cpp @ 20]:

   20 00a71440 55              push    ebp

   20 00a71441 8bec            mov     ebp,esp

   20 00a71443 81ecc0000000    sub     esp,0C0h

   20 00a71449 53              push    ebx

   20 00a7144a 56              push    esi

   20 00a7144b 57              push    edi

   20 00a7144c 8dbd40ffffff    lea     edi,[ebp-0C0h]

   20 00a71452 b930000000      mov     ecx,30h

   20 00a71457 b8cccccccc      mov     eax,0CCCCCCCCh

   20 00a7145c f3ab            rep stos dword ptr es:[edi]

   21 00a7145e 8bf4            mov     esi,esp

   21 00a71460 a19882a700      mov     eax,dword ptr [Fibo!_imp_?endlstdYAAAV?$basic_ostreamDU?$char_traitsDstd (00a78298)]

   21 00a71465 50              push    eax

   21 00a71466 6a00            push    0

   21 00a71468 6a05            push    5

   21 00a7146a e89bfbffff      call    Fibo!ILT+5(?FiboRecursiveYAIIHZ) (00a7100a)

   21 00a7146f 83c408          add     esp,8

   21 00a71472 8bfc            mov     edi,esp

   21 00a71474 50              push    eax

   21 00a71475 8b0d9082a700    mov     ecx,dword ptr [Fibo!_imp_?coutstd (00a78290)]

   21 00a7147b ff159482a700    call    dword ptr [Fibo!_imp_??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01IZ (00a78294)]

   21 00a71481 3bfc            cmp     edi,esp

   21 00a71483 e8d1fcffff      call    Fibo!ILT+340(__RTC_CheckEsp) (00a71159)

   21 00a71488 8bc8            mov     ecx,eax

   21 00a7148a ff159c82a700    call    dword ptr [Fibo!_imp_??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01P6AAAV01AAV01ZZ (00a7829c)]

   21 00a71490 3bf4            cmp     esi,esp

   21 00a71492 e8c2fcffff      call    Fibo!ILT+340(__RTC_CheckEsp) (00a71159)

   23 00a71497 33c0            xor     eax,eax

   24 00a71499 5f              pop     edi

   24 00a7149a 5e              pop     esi

   24 00a7149b 5b              pop     ebx

   24 00a7149c 81c4c0000000    add     esp,0C0h

   24 00a714a2 3bec            cmp     ebp,esp

   24 00a714a4 e8b0fcffff      call    Fibo!ILT+340(__RTC_CheckEsp) (00a71159)

   24 00a714a9 8be5            mov     esp,ebp

   24 00a714ab 5d              pop     ebp

   24 00a714ac c3              ret

 

Using the command below we’re going to display the first occurrence of ret.

 

0:000> # ret 00a71440

Fibo!wmain+0x6c [c:\development\my tools\book\fibo\fibo\fibo.cpp @ 24]:

00a714ac c3              ret

 

 

Looking for another pattern:

 

0:000> # call*Fibo!ILT 00a71440

Fibo!wmain+0x2a [c:\development\my tools\book\fibo\fibo\fibo.cpp @ 21]:

00a7146a e89bfbffff      call    Fibo!ILT+5(?FiboRecursiveYAIIHZ) (00a7100a)

 

Now let’s look for push instructions in a specific module/executable:

 

0:000> lm

start    end        module name

00a60000 00a7b000   Fibo     C (private pdb symbols)  C:\development\My Tools\Book\Fibo\Debug\Fibo.pdb

67350000 67473000   MSVCR90D   (deferred)            

690c0000 69197000   MSVCP90D   (private pdb symbols)  c:\publicsymbols\msvcp90d.i386.pdb\7B1C9137C0074A0E921BE874ADF944191\msvcp90d.i386.pdb

75e00000 75e44000   KERNELBASE   (deferred)            

75eb0000 75fb0000   kernel32   (deferred)            

776c0000 77840000   ntdll      (pdb symbols)          c:\publicsymbols\wntdll.pdb\E06BEA155E9748BEA818E2D0DD2FED952\wntdll.pdb

 

 

0:000> # push 00a60000

Fibo!__ImageBase+0x40:

00a60040 0e              push    cs

 

 

As you can see, when looking for patterns in disassembled code “#” is the way to go! Here is an script that automates the process.

 

Tip: Most commands mentioned in the Special Commands section of this blog have a script that uses it and could serve as another example of using the command. Also there’re scripts that use commands from the SOS.DLL extension to debug managed code.

Check out the WinDbg Scripts and PowerDbg Scripts section.