diff --git a/Ghidra/Debug/Debugger-api/src/main/java/ghidra/debug/api/tracemgr/DebuggerCoordinates.java b/Ghidra/Debug/Debugger-api/src/main/java/ghidra/debug/api/tracemgr/DebuggerCoordinates.java
index afb0ce07a5..1f63cff305 100644
--- a/Ghidra/Debug/Debugger-api/src/main/java/ghidra/debug/api/tracemgr/DebuggerCoordinates.java
+++ b/Ghidra/Debug/Debugger-api/src/main/java/ghidra/debug/api/tracemgr/DebuggerCoordinates.java
@@ -4,9 +4,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -778,10 +778,18 @@ public class DebuggerCoordinates {
return coords;
}
- public boolean isAlive() {
+ public static boolean isAlive(Target target) {
return target != null && target.isValid();
}
+ public boolean isAlive() {
+ return isAlive(target);
+ }
+
+ public static boolean isAliveAndPresent(TraceProgramView view, Target target) {
+ return isAlive(target) && target.getSnap() == view.getSnap();
+ }
+
protected boolean isPresent() {
TraceSchedule defaultedTime = getTime();
return target.getSnap() == defaultedTime.getSnap() && defaultedTime.isSnapOnly();
diff --git a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerByteSource.java b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerByteSource.java
new file mode 100644
index 0000000000..3080d36a0b
--- /dev/null
+++ b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerByteSource.java
@@ -0,0 +1,112 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ghidra.app.plugin.core.debug.gui;
+
+import java.util.List;
+import java.util.concurrent.*;
+import java.util.stream.Stream;
+
+import db.Transaction;
+import ghidra.app.nav.Navigatable;
+import ghidra.app.plugin.core.debug.gui.action.DebuggerReadsMemoryTrait;
+import ghidra.debug.api.target.Target;
+import ghidra.debug.api.tracemgr.DebuggerCoordinates;
+import ghidra.features.base.memsearch.bytesource.AddressableByteSource;
+import ghidra.features.base.memsearch.bytesource.SearchRegion;
+import ghidra.framework.plugintool.PluginTool;
+import ghidra.program.model.address.*;
+import ghidra.program.model.listing.Program;
+import ghidra.program.model.mem.MemoryAccessException;
+import ghidra.trace.model.memory.*;
+import ghidra.trace.model.program.TraceProgramView;
+
+/**
+ * A byte source for searching the memory of a possibly-live target in the debugger.
+ *
+ *
+ * Because we'd like the search to preserve its state over the lifetime of the target, and the
+ * target "changes" by navigating snapshots, we need to allow the view to move without requiring a
+ * new byte source to be constructed. We cannot, however, just blindly follow the
+ * {@link Navigatable} wherever it goes. This is roughly the equivalent of a {@link Program}, but
+ * with knowledge of the target to cause a refresh of actual target memory when necessary.
+ */
+public class DebuggerByteSource implements AddressableByteSource {
+
+ private final PluginTool tool;
+ private final TraceProgramView view;
+ private final Target target;
+ private final DebuggerReadsMemoryTrait readsMem;
+
+ public DebuggerByteSource(PluginTool tool, TraceProgramView view, Target target,
+ DebuggerReadsMemoryTrait readsMem) {
+ this.tool = tool;
+ this.view = view;
+ this.target = target;
+ this.readsMem = readsMem;
+ }
+
+ @Override
+ public int getBytes(Address address, byte[] bytes, int length) {
+ AddressSet set = new AddressSet(address, address.add(length - 1));
+ try {
+ readsMem.getAutoSpec()
+ .readMemory(tool, DebuggerCoordinates.NOWHERE.view(view).target(target), set)
+ .get(Target.TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
+ return view.getMemory().getBytes(address, bytes, 0, length);
+ }
+ catch (AddressOutOfBoundsException | MemoryAccessException | InterruptedException
+ | ExecutionException | TimeoutException e) {
+ return 0;
+ }
+ }
+
+ @Override
+ public List getSearchableRegions() {
+ AddressFactory factory = view.getTrace().getBaseAddressFactory();
+ List spaces = Stream.of(factory.getPhysicalSpaces())
+ .filter(s -> s.getType() != AddressSpace.TYPE_OTHER)
+ .toList();
+ if (spaces.size() == 1) {
+ return DebuggerSearchRegionFactory.ALL.stream()
+ .map(f -> f.createRegion(null))
+ .toList();
+ }
+
+ Stream concat =
+ Stream.concat(Stream.of((AddressSpace) null), spaces.stream());
+ return concat
+ .flatMap(s -> DebuggerSearchRegionFactory.ALL.stream().map(f -> f.createRegion(s)))
+ .toList();
+ }
+
+ @Override
+ public void invalidate() {
+ try (Transaction tx = view.getTrace().openTransaction("Invalidate memory")) {
+ TraceMemoryManager mm = view.getTrace().getMemoryManager();
+ for (AddressSpace space : view.getTrace().getBaseAddressFactory().getAddressSpaces()) {
+ if (!space.isMemorySpace()) {
+ continue;
+ }
+ TraceMemorySpace ms = mm.getMemorySpace(space, false);
+ if (ms == null) {
+ continue;
+ }
+ ms.setState(view.getSnap(), space.getMinAddress(), space.getMaxAddress(),
+ TraceMemoryState.UNKNOWN);
+ }
+ }
+ }
+}
diff --git a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerSearchRegionFactory.java b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerSearchRegionFactory.java
new file mode 100644
index 0000000000..10e94f360e
--- /dev/null
+++ b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/DebuggerSearchRegionFactory.java
@@ -0,0 +1,130 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ghidra.app.plugin.core.debug.gui;
+
+import java.util.List;
+
+import ghidra.features.base.memsearch.bytesource.SearchRegion;
+import ghidra.program.model.address.*;
+import ghidra.program.model.listing.Program;
+import ghidra.program.model.mem.MemoryBlock;
+
+public enum DebuggerSearchRegionFactory {
+ FULL_SPACE("All Addresses", """
+ Searches all memory in the space, regardless of known validity.""") {
+
+ @Override
+ AddressSetView getAddresses(AddressSpace space, Program program) {
+ AddressSet set = new AddressSet();
+ if (space != null) {
+ set.add(space.getMinAddress(), space.getMaxAddress());
+ return set;
+ }
+ for (AddressSpace s : program.getAddressFactory().getAddressSpaces()) {
+ set.add(s.getMinAddress(), s.getMaxAddress());
+ }
+ return set;
+ }
+ },
+ VALID("Valid Addresses", """
+ Searches listed memory regions in the space.""") {
+
+ @Override
+ AddressSetView getAddresses(AddressSpace space, Program program) {
+ AddressSet set = new AddressSet();
+ for (MemoryBlock block : program.getMemory().getBlocks()) {
+ if (space == null || space == block.getStart().getAddressSpace()) {
+ set.add(block.getAddressRange());
+ }
+ }
+ return set;
+ }
+
+ @Override
+ boolean isDefault(AddressSpace space) {
+ return space == null;
+ }
+ },
+ WRITABLE("Writable Addresses", """
+ Searches listed regions marked as writable in the space.""") {
+
+ @Override
+ AddressSetView getAddresses(AddressSpace space, Program program) {
+ AddressSet set = new AddressSet();
+ for (MemoryBlock block : program.getMemory().getBlocks()) {
+ if (block.isWrite() &&
+ (space == null || space == block.getStart().getAddressSpace())) {
+ set.add(block.getAddressRange());
+ }
+ }
+ return set;
+ }
+ };
+
+ public static final List ALL = List.of(values());
+
+ record DebuggerSearchRegion(DebuggerSearchRegionFactory factory, AddressSpace spaces)
+ implements SearchRegion {
+ @Override
+ public String getName() {
+ return factory.getName(spaces);
+ }
+
+ @Override
+ public String getDescription() {
+ return factory.getDescription(spaces);
+ }
+
+ @Override
+ public AddressSetView getAddresses(Program program) {
+ return factory.getAddresses(spaces, program);
+ }
+
+ @Override
+ public boolean isDefault() {
+ return factory.isDefault(spaces);
+ }
+ }
+
+ private final String namePrefix;
+ private final String description;
+
+ private DebuggerSearchRegionFactory(String namePrefix, String description) {
+ this.namePrefix = namePrefix;
+ this.description = description;
+ }
+
+ public SearchRegion createRegion(AddressSpace space) {
+ return new DebuggerSearchRegion(this, space);
+ }
+
+ String getName(AddressSpace space) {
+ if (space == null) {
+ return namePrefix;
+ }
+ return "%s (%s)".formatted(namePrefix, space.getName());
+ }
+
+ String getDescription(AddressSpace spaces) {
+ return description;
+ }
+
+ abstract AddressSetView getAddresses(AddressSpace space, Program program);
+
+ boolean isDefault(AddressSpace space) {
+ return false;
+ }
+}
diff --git a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/listing/DebuggerListingProvider.java b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/listing/DebuggerListingProvider.java
index f8a96384b7..211b88326f 100644
--- a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/listing/DebuggerListingProvider.java
+++ b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/listing/DebuggerListingProvider.java
@@ -4,9 +4,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -51,8 +51,7 @@ import ghidra.app.plugin.core.codebrowser.MarkerServiceBackgroundColorModel;
import ghidra.app.plugin.core.debug.disassemble.CurrentPlatformTraceDisassembleCommand;
import ghidra.app.plugin.core.debug.disassemble.CurrentPlatformTraceDisassembleCommand.Reqs;
import ghidra.app.plugin.core.debug.disassemble.DebuggerDisassemblerPlugin;
-import ghidra.app.plugin.core.debug.gui.DebuggerLocationLabel;
-import ghidra.app.plugin.core.debug.gui.DebuggerResources;
+import ghidra.app.plugin.core.debug.gui.*;
import ghidra.app.plugin.core.debug.gui.DebuggerResources.FollowsCurrentThreadAction;
import ghidra.app.plugin.core.debug.gui.DebuggerResources.OpenProgramAction;
import ghidra.app.plugin.core.debug.gui.action.*;
@@ -76,6 +75,8 @@ import ghidra.debug.api.listing.MultiBlendedListingBackgroundColorModel;
import ghidra.debug.api.modules.DebuggerMissingModuleActionContext;
import ghidra.debug.api.modules.DebuggerStaticMappingChangeListener;
import ghidra.debug.api.tracemgr.DebuggerCoordinates;
+import ghidra.features.base.memsearch.bytesource.AddressableByteSource;
+import ghidra.features.base.memsearch.bytesource.EmptyByteSource;
import ghidra.framework.model.DomainFile;
import ghidra.framework.options.SaveState;
import ghidra.framework.plugintool.*;
@@ -1358,4 +1359,12 @@ public class DebuggerListingProvider extends CodeViewerProvider {
.setViewerPosition(vp.getIndex(), vp.getXOffset(), vp.getYOffset());
});
}
+
+ @Override
+ public AddressableByteSource getByteSource() {
+ if (current == DebuggerCoordinates.NOWHERE) {
+ return EmptyByteSource.INSTANCE;
+ }
+ return new DebuggerByteSource(tool, current.getView(), current.getTarget(), readsMemTrait);
+ }
}
diff --git a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/memory/DebuggerMemoryBytesProvider.java b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/memory/DebuggerMemoryBytesProvider.java
index 3931bce10e..1dddf5485c 100644
--- a/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/memory/DebuggerMemoryBytesProvider.java
+++ b/Ghidra/Debug/Debugger/src/main/java/ghidra/app/plugin/core/debug/gui/memory/DebuggerMemoryBytesProvider.java
@@ -4,9 +4,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -34,8 +34,7 @@ import docking.menu.MultiStateDockingAction;
import docking.widgets.fieldpanel.support.ViewerPosition;
import generic.theme.GThemeDefaults.Colors;
import ghidra.app.plugin.core.byteviewer.*;
-import ghidra.app.plugin.core.debug.gui.DebuggerLocationLabel;
-import ghidra.app.plugin.core.debug.gui.DebuggerResources;
+import ghidra.app.plugin.core.debug.gui.*;
import ghidra.app.plugin.core.debug.gui.DebuggerResources.FollowsCurrentThreadAction;
import ghidra.app.plugin.core.debug.gui.action.*;
import ghidra.app.plugin.core.debug.gui.action.AutoReadMemorySpec.AutoReadMemorySpecConfigFieldCodec;
@@ -46,6 +45,8 @@ import ghidra.app.services.DebuggerTraceManagerService;
import ghidra.debug.api.action.GoToInput;
import ghidra.debug.api.action.LocationTrackingSpec;
import ghidra.debug.api.tracemgr.DebuggerCoordinates;
+import ghidra.features.base.memsearch.bytesource.AddressableByteSource;
+import ghidra.features.base.memsearch.bytesource.EmptyByteSource;
import ghidra.framework.options.SaveState;
import ghidra.framework.plugintool.*;
import ghidra.framework.plugintool.annotation.AutoConfigStateField;
@@ -666,4 +667,12 @@ public class DebuggerMemoryBytesProvider extends ProgramByteViewerComponentProvi
newProvider.panel.setViewerPosition(vp);
});
}
+
+ @Override
+ public AddressableByteSource getByteSource() {
+ if (current == DebuggerCoordinates.NOWHERE) {
+ return EmptyByteSource.INSTANCE;
+ }
+ return new DebuggerByteSource(tool, current.getView(), current.getTarget(), readsMemTrait);
+ }
}
diff --git a/Ghidra/Debug/Framework-TraceModeling/src/test/java/ghidra/trace/database/memory/AbstractDBTraceMemoryManagerMemoryTest.java b/Ghidra/Debug/Framework-TraceModeling/src/test/java/ghidra/trace/database/memory/AbstractDBTraceMemoryManagerMemoryTest.java
index 4af570456a..98f8bc8380 100644
--- a/Ghidra/Debug/Framework-TraceModeling/src/test/java/ghidra/trace/database/memory/AbstractDBTraceMemoryManagerMemoryTest.java
+++ b/Ghidra/Debug/Framework-TraceModeling/src/test/java/ghidra/trace/database/memory/AbstractDBTraceMemoryManagerMemoryTest.java
@@ -4,9 +4,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -960,4 +960,35 @@ public abstract class AbstractDBTraceMemoryManagerMemoryTest
assertArrayEquals(b.arr(1, 2, 3, 4), read.array());
}
}
+
+ @Test
+ public void testReplicateNpeScenario() throws Exception {
+ ByteBuffer buf4k = ByteBuffer.allocate(0x1000);
+ AddressSetView set = b.set(
+ b.range(0x00400000, 0x00404fff),
+ b.range(0x00605000, 0x00606fff),
+ b.range(0x7ffff7a2c000L, 0x7ffff7a33fffL));
+ Random random = new Random();
+ for (int i = 0; i < 30; i++) {
+ try (Transaction tx = b.startTransaction()) {
+ for (int j = 0; j < 3; j++) {
+ for (AddressRange r : set) {
+ for (AddressRange rc : new AddressRangeChunker(r, 0x1000)) {
+ if (random.nextInt(100) < 20) {
+ memory.setState(0, rc, TraceMemoryState.ERROR);
+ continue;
+ }
+ buf4k.position(0);
+ buf4k.limit(0x1000);
+ memory.putBytes(0, rc.getMinAddress(), buf4k);
+ }
+ }
+ }
+ }
+
+ try (Transaction tx = b.startTransaction()) {
+ memory.setState(0, b.range(0, -1), TraceMemoryState.UNKNOWN);
+ }
+ }
+ }
}
diff --git a/Ghidra/Debug/ProposedUtils/src/test/java/ghidra/util/database/spatial/RStarTreeMapTest.java b/Ghidra/Debug/ProposedUtils/src/test/java/ghidra/util/database/spatial/RStarTreeMapTest.java
index 94b92afbb9..0b832ef1a2 100644
--- a/Ghidra/Debug/ProposedUtils/src/test/java/ghidra/util/database/spatial/RStarTreeMapTest.java
+++ b/Ghidra/Debug/ProposedUtils/src/test/java/ghidra/util/database/spatial/RStarTreeMapTest.java
@@ -4,9 +4,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -1097,6 +1097,23 @@ public class RStarTreeMapTest {
assertTrue(obj.map.isEmpty());
}
+ @Test
+ public void testAddThenRemove1() {
+ assertTrue(obj.map.isEmpty());
+
+ try (Transaction tx = obj.openTransaction("AddPoint")) {
+ obj.map.put(new ImmutableIntRect(0, 0, 0, 10), "Test");
+ }
+
+ assertFalse(obj.map.isEmpty());
+
+ try (Transaction tx = obj.openTransaction("RemovePoint")) {
+ assertTrue(obj.map.remove(new ImmutableIntRect(0, 0, 0, 10), "Test"));
+ }
+
+ assertTrue(obj.map.isEmpty());
+ }
+
@Test
public void testClear() {
List> points = generatePoints(rect(1, 12, 1, 12));
diff --git a/Ghidra/Features/Base/certification.manifest b/Ghidra/Features/Base/certification.manifest
index c053587a20..0b966dd28b 100644
--- a/Ghidra/Features/Base/certification.manifest
+++ b/Ghidra/Features/Base/certification.manifest
@@ -508,8 +508,10 @@ src/main/help/help/topics/RuntimeInfoPlugin/RuntimeInfo.htm||GHIDRA||||END|
src/main/help/help/topics/ScalarSearchPlugin/The_Scalar_Table.htm||GHIDRA||||END|
src/main/help/help/topics/ScalarSearchPlugin/images/ScalarWindow.png||GHIDRA||||END|
src/main/help/help/topics/ScalarSearchPlugin/images/SearchAllScalarsDialog.png||GHIDRA||||END|
+src/main/help/help/topics/Search/Instruction_Mnemonic_Search.htm||GHIDRA||||END|
src/main/help/help/topics/Search/Query_Results_Dialog.htm||GHIDRA||||END|
src/main/help/help/topics/Search/Regular_Expressions.htm||GHIDRA||||END|
+src/main/help/help/topics/Search/Search_Formats.htm||GHIDRA||||END|
src/main/help/help/topics/Search/Search_Instruction_Patterns.htm||GHIDRA||||END|
src/main/help/help/topics/Search/Search_Memory.htm||GHIDRA||||END|
src/main/help/help/topics/Search/Search_Program_Text.htm||GHIDRA||||END|
@@ -520,6 +522,9 @@ src/main/help/help/topics/Search/Searching.htm||GHIDRA||||END|
src/main/help/help/topics/Search/images/DirectReferences.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/EncodedStringsDialog_advancedoptions.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/EncodedStringsDialog_initial.png||GHIDRA||||END|
+src/main/help/help/topics/Search/images/MemorySearchProvider.png||GHIDRA||||END|
+src/main/help/help/topics/Search/images/MemorySearchProviderWithOptionsOn.png||GHIDRA||||END|
+src/main/help/help/topics/Search/images/MemorySearchProviderWithScanPanelOn.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/MultipleSelectionError.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/QueryResultsSearch.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/SearchForAddressTables.png||GHIDRA||||END|
@@ -536,11 +541,7 @@ src/main/help/help/topics/Search/images/SearchInstructionsIncludeOperands.png||G
src/main/help/help/topics/Search/images/SearchInstructionsIncludeOperandsNoConsts.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/SearchInstructionsManualSearchDialog.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/SearchLimitExceeded.png||GHIDRA||||END|
-src/main/help/help/topics/Search/images/SearchMemoryBinary.png||GHIDRA||||END|
-src/main/help/help/topics/Search/images/SearchMemoryDecimal.png||GHIDRA||||END|
-src/main/help/help/topics/Search/images/SearchMemoryHex.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/SearchMemoryRegex.png||GHIDRA||||END|
-src/main/help/help/topics/Search/images/SearchMemoryString.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/SearchText.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/StringSearchDialog.png||GHIDRA||||END|
src/main/help/help/topics/Search/images/StringSearchResults.png||GHIDRA||||END|
@@ -919,6 +920,11 @@ src/main/resources/images/unlock.gif||GHIDRA||||END|
src/main/resources/images/verticalSplit.png||GHIDRA||||END|
src/main/resources/images/view-sort-ascending.png||Oxygen Icons - LGPL 3.0|||Oxygen icon theme (dual license; LGPL or CC-SA-3.0)|END|
src/main/resources/images/view-sort-descending.png||Oxygen Icons - LGPL 3.0|||Oxygen icon theme (dual license; LGPL or CC-SA-3.0)|END|
+src/main/resources/images/view_bottom.png||Nuvola Icons - LGPL 2.1|||Nuvola icon set|END|
+src/main/resources/images/view_left_right.png||Nuvola Icons - LGPL 2.1|||Nuvola icon set|END|
+src/main/resources/images/view_top_bottom.png||Nuvola Icons - LGPL 2.1|||Nuvola icon set|END|
+src/main/resources/images/viewmag+.png||Crystal Clear Icons - LGPL 2.1||||END|
+src/main/resources/images/viewmag.png||GHIDRA||||END|
src/main/resources/images/window.png||GHIDRA||||END|
src/main/resources/images/wizard.png||Nuvola Icons - LGPL 2.1|||nuvola|END|
src/main/resources/images/x-office-document-template.png||Tango Icons - Public Domain|||tango icon set|END|
diff --git a/Ghidra/Features/Base/data/base.icons.theme.properties b/Ghidra/Features/Base/data/base.icons.theme.properties
index 648f2fdb88..05628777bb 100644
--- a/Ghidra/Features/Base/data/base.icons.theme.properties
+++ b/Ghidra/Features/Base/data/base.icons.theme.properties
@@ -395,6 +395,11 @@ icon.base.util.xml.functions.bookmark = imported_bookmark.gif
icon.base.util.datatree.version.control.archive.dt.checkout.undo = vcUndoCheckOut.png
+icon.base.mem.search.panel.options = view_left_right.png
+icon.base.mem.search.panel.scan = view_bottom.png
+icon.base.mem.search.panel.search = view_top_bottom.png
+
+
diff --git a/Ghidra/Features/Base/src/main/help/help/topics/Search/Instruction_Mnemonic_Search.htm b/Ghidra/Features/Base/src/main/help/help/topics/Search/Instruction_Mnemonic_Search.htm
new file mode 100644
index 0000000000..7a99d6113a
--- /dev/null
+++ b/Ghidra/Features/Base/src/main/help/help/topics/Search/Instruction_Mnemonic_Search.htm
@@ -0,0 +1,112 @@
+
+
+
+
+
+
+ Search Memory
+
+
+
+
+
+
+
+
+
Search for Matching Instructions
+
+
+
This action works only on a selection of code. It uses the selected instructions to build
+ a combined mask/value bit pattern that is then used to populate the search field in a
+ Memory Search Window. This enables searching through memory
+ for a particular ordering of
+ instructions. There are three options available:
+
+
+
Include Operands - All bits that make up the instruction and all bits that make
+ up the operands will be included in the search pattern.
+
+
Exclude Operands - All bits that make up the instruction are included in the
+ search pattern but the bits that make up the operands will be masked off to enable wild
+ carding for those bits.
+
+
Include Operands (except constants) - All bits that make up the instruction are
+ included in the search pattern and all bits that make up the operands, except constant
+ operands, which will be masked off to enable wild carding for those bits.
+
+
+
+
Example:
+
+
A user first selects the following lines of code. Then, from the Search menu they choose
+ Search for Matching Instructions and one of the following options:
+
+
+ Option 1:
+
+
+
If the Include Operands action is chosen then the search will find all
+ instances of the following instructions and operands.
+
+
+
+
All of the bytes that make up the selected code will be searched for exactly, with no
+ wild carding. The bit pattern 10000101 11000000 01010110 01101010 00010100
+ 01011110 which equates to the byte pattern 85 c0 56 6a 14 5e is searched
+ for.
+
+
+
Option 2:
+
+
+
If the Exclude Operands option is chosen then the search will find all
+ instances of the following instructions only.
+
+
+
+
Only the parts of the byte pattern that make up the instructions will be searched for
+ with the remaining bits used as wildcards. The bit pattern 10000101 11...... 01010...
+ 01101010 ........ 01011... is searched for where the .'s indicate the wild carded
+ values.
+
+
+
Option 3:
+
+
+
If the Include Operands (except constants) option is chosen then the search
+ will find all instances of the instruction and all operands except the 0x14 which is a
+ constant.
+
+
+
+
The bit pattern 10000101 11000000 01010110 01101010 ........ 01011110 which
+ equates to the byte pattern 85 c0 56 6a xx 5e is searched for where xx can be any
+ number N between 0x0 and 0xff.
+
+
+
+
+
+
The previous operations can only work on a
+ single selected region. If multiple regions are selected, the following error dialog
+ will be shown and the operation will be cancelled.
+
+
diff --git a/Ghidra/Features/Base/src/main/help/help/topics/Search/Regular_Expressions.htm b/Ghidra/Features/Base/src/main/help/help/topics/Search/Regular_Expressions.htm
index 34cbbacdbf..d3f0a4e88c 100644
--- a/Ghidra/Features/Base/src/main/help/help/topics/Search/Regular_Expressions.htm
+++ b/Ghidra/Features/Base/src/main/help/help/topics/Search/Regular_Expressions.htm
@@ -19,17 +19,21 @@
same as a regular expression for any standard Java application. Because of restrictions on how
regular expressions are processed, regular expression searches can only be performed in the
forward direction. Unlike standard string searches, case sensitivity and unicode options do not
- apply. The Search Memory dialog below shows a sample regular expression entered in the
+ apply. The Search Memory window below shows a sample regular expression entered in the
Value field.
The selected format determines how the user input is used to generate a search byte
+ sequence (and possibly mask byte sequence). They are also used to format bytes back into
+ "values" to be displayed in the table, if applicable.
+
+
Hex:
+
+
+
The hex format allows the user to specify the search bytes as hex values.
+
+
Notes:
+
+
+
+
The input string is interpreted as a sequence of hex numbers, separated by spaces.
+
+
Wildcard characters can be used to match any single hex digit (i.e. any 4 bit
+ value).
+
+
Either the '.' or '?' character can be used for the wildcard character.
+
+
Each hex number group (groups are separated by spaces) will produce a sequence of bytes
+ that may be reversed depending on the byte order. To avoid byte ordering effects, separate
+ each two digit hex value with a space.
+
+
The byte search pattern is formed by concatenating the bytes from each hex number
+ group.
+
+
The Hex format generates no "values" in the values table column (it would just be a
+ repeat of the bytes column).
+
+
As a convenience, if a user enters a single wildcard value within the search text, then
+ the search string will be interpreted as if 2 consecutive wildcard characters were entered,
+ meaning to match any byte value.
+
+
Similarly, if the search string contains an odd number of characters, then a 0 is
+ prepended to the search string, based on the assumption that a single hex digit implies a
+ leading 0 value.
+
+
+
+
Examples: (Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
12
+
+
12
+
+
FF
+
+
+
+
12 A4
+
+
12 A4
+
+
FF FF
+
+
+
+
12A4
+
+
A4 12
+
+
FF FF
+
+
+
+
12 3456
+
+
12 56 34
+
+
FF FF FF
+
+
+
+
5 E12
+
+
05 12 0E
+
+
FF FF FF
+
+
+
+
5.
+
+
50
+
+
F0
+
+
+
+
.5
+
+
05
+
+
0F
+
+
+
+
12.4
+
+
04 12
+
+
0F FF
+
+
+
+
+
Examples: (Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
12
+
+
12
+
+
FF
+
+
+
+
12 A4
+
+
12 A4
+
+
FF FF
+
+
+
+
12A4
+
+
12 A4
+
+
FF FF
+
+
+
+
12 3456
+
+
12 34 56
+
+
FF FF FF
+
+
+
+
5 E12
+
+
05 0E 12
+
+
FF FF FF
+
+
+
+
5.
+
+
50
+
+
F0
+
+
+
+
.5
+
+
05
+
+
0F
+
+
+
+
12.4
+
+
12 04
+
+
FF 0F
+
+
+
+
+
+
Binary:
+
+
+
The Binary format allows the user to specify the search bytes as binary
+ values.
+
+
+
+
+
The input string is interpreted as a sequence of binary numbers.
+
+
Binary values must always be specified in groups of up to 8 "0" or "1" digits.
+
+
Since a group can have at most 8 characters, a group always represents 1 byte.
+
+
Since a group can be only 1 byte, byte ordering doesn't affect the binary format.
+
+
Wildcard characters can be used to match any single binary digit (i.e. any 1 bit
+ value).
+
+
Either the '.' or '?' character can be used for the wildcard character.
+
+
The byte search pattern is formed by concatenating the bytes from each binary number
+ group.
+
+
The binary format generates no "values" in the values table column
+
+
As a convenience, if a user enters less than 8 binary digits, it is assumed that the
+ leading bits are 0.
+
+
+
+
Examples:
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
10000001
+
+
81
+
+
FF
+
+
+
+
11
+
+
03
+
+
FF
+
+
+
+
0 1 0
+
+
00 01 00
+
+
FF FF FF
+
+
+
+
0 10
+
+
00 02
+
+
FF FF
+
+
+
+
111.00.0
+
+
E0
+
+
ED
+
+
+
+
1 . 0
+
+
01 00 00
+
+
FF 00 FF
+
+
+
+
+
+
String:
+
+
+
The String format allows the user to search to specify the search bytes as a string.
+
+
+
+
+
The input string is converted to bytes using the chosen character encoding.
+
+
If the Case Sensitive option is on, the bytes are translated exactly to the
+ string values and the masks bytes are all 0xFF.
+
+
If the Case Sensitive option is off, the bytes are translated to the string values in
+ upper case and the masks are all 0xEF, meaning matches
+ will be found regardless of the case of the input string or the bytes in memory.
+
+
If the Escape Sequences option is on, values such as "\n" or "\t" are translated to
+ their single byte equivalent escape value.
+
+
If the Escape Sequences option is off, values such as "\n" or "\t" are
+ translated literally to those characters (e.g. the "\" char followed by the "n" char.
+
+
The String format generates strings for the table's Match Value column.
+
+
Wild cards are not supported by the String format.
+
+
+
+
Examples: (Encoding is Ascii, Case Sensitive is on, Escape Sequences is off)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
Hey0
+
+
48 65 79 30
+
+
FF FF FF FF
+
+
+
+
Hey\n
+
+
49 65 79 5c 6e
+
+
FF FF FF FF FF
+
+
+
+
+
Examples: (Encoding is Ascii, Case Sensitive is off, Escape Sequences is off)
+
+
+ DF DF DF FF
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
Hey0
+
+
48 45 59 30
+
+
+
+
Hey\n
+
+
49 65 79 5c 6e
+
+
DF DF DF DF FF DF
+
+
+
+
+
Examples: (Encoding is Ascii, Case Sensitive is on, Escape Sequences is on)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
Hey0
+
+
48 65 79 30
+
+
FF FF FF FF
+
+
+
+
Hey\n
+
+
49 65 79 0A
+
+
FF FF FF FF
+
+
+
+
Examples: (Encoding is UTF-16, Case Sensitive is on, Escape Sequences is off, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
Hey
+
+
48 00 65 00 70 00 79 00
+
+
FF FF FF FF FF FF
+
+
+
+
a\n
+
+
61 00 5c 00 6e 00
+
+
FF FF FF FF FF FF
+
+
+
+
+
Examples: (Encoding is UTF-16, Case Sensitive is on, Escape Sequences is off, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
Hey
+
+
00 48 00 65 00 70 00 79
+
+
FF FF FF FF FF FF
+
+
+
+
a\n
+
+
00 61 00 5c 00 6e
+
+
FF FF FF FF FF FF
+
+
+
+
+
+
Reg Ex:
+
+
+
The Reg Ex format allows the user to search memory for strings using Java regular
+ expressions.
+
+
+
+
+
The Reg Ex format treats consecutive bytes in memory as if it was a string and uses the
+ input string as the specification for the regular expression.
+
+
The Reg Ex format generates no bytes and masks, instead using Java's regular expression
+ engine to try and find matches.
+
+
The Reg Ex format generates strings for the table's Match Value column.
+
+
For more information on supported regular expression syntax, see the page on
+ Regular Expressions
+
+
+
Decimal:
+
+
+
The Decimal format allows the user to search for a sequence of decimal values.
+
+
+
+
+
The input string can have one or more decimal values, separated by
+ spaces.
+
+
Each decimal value in the input text, are converted to a sequence of bytes. The number
+ of bytes for each value is determined by the size as specified in the decimal options.
+
+
If the Unsigned option is on, negative number can't be entered.
+
+
If the Unsigned option is on, input numbers can be as big as the largest
+ unsigned value that can be represented by the selected byte size. For example, if the
+ byte size is 1, the largest unsigned value you can enter is 255.
+
+
If the Unsigned option is off, input numbers can be from the lowest negative
+ number to the highest positive number for values that can be represented by the selected
+ byte size. For example, if the byte size is 1, the entered values can be from -128 to 127.
+
+
The endian setting affects the order of the bytes generated for decimal values.
+
+
The Decimal format does not support wildcards.
+
+
The byte search pattern is formed by concatenating the bytes from each decimal
+ number entered in the input.
+
+
The Decimal format displays decimal values in the table's Match Value column.
+
+
+
+
Examples: (Size = 1 byte, Signed Values)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1 0 127
+
+
FF 0 7F
+
+
FF FF FF
+
+
+
+
+
Examples: (Size = 2 byte, Signed Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1 0 32767
+
+
FF FF 00 00 FF 7F
+
+
FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 2 byte, Signed Values, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1 0 32767
+
+
FF FF 00 00 7F FF
+
+
FF FF FF FF FF FF
+
+
+
+
Examples: (Size = 4 byte, Signed Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1 5
+
+
FF FF FF FF 05 00 00 00
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 4 byte, Signed Values, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1 5
+
+
FF FF FF FF 00 00 00 05
+
+
FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 8 byte, Signed Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1
+
+
FF FF FF FF FF FF FF FF
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
5
+
+
05 00 00 00 00 00 00 00
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 8 byte, Signed Values, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
-1
+
+
FF FF FF FF FF FF FF FF
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
5
+
+
00 00 00 00 00 00 00 05
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 1 byte, Unsigned Values)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
0 256
+
+
0 FF
+
+
FF FF
+
+
+
+
Examples: (Size = 2 byte, Unsigned Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
5
+
+
05 00
+
+
FF FF
+
+
+
+
65535
+
+
FF FF
+
+
FF FF
+
+
+
+
+
Examples: (Size = 2 byte, Unsigned Values, Big Endian)
+
+
+
+
+
5
+
+
0 05
+
+
FF FF
+
+
+
+
65535
+
+
FF FF
+
+
FF FF
+
+
+
+
+
Examples: (Size = 4 byte, Unsigned Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
5
+
+
05 00 00 00
+
+
FF FF FF FF
+
+
+
+
+
Examples: (Size = 4 byte, Unsigned Values, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
5
+
+
00 00 00 05
+
+
FF FF FF FF FF
+
+
+
+
+
+
+
+
Examples: (Size = 8 byte, Unsigned Values, Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
5
+
+
05 00 00 00 00 00 00 00
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
+
Examples: (Size = 8 byte, Unsigned Values, Big Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
5
+
+
00 00 00 00 00 00 00 05
+
+
FF FF FF FF FF FF FF FF
+
+
+
+
+
+
+
Float:
+
+
+
The Float format allows the user to enter floating point numbers of size 4 bytes.
+
+
+
+
+
The input string is interpreted as a sequence of floating point numbers.
+
+
Each floating point number is converted to 4 bytes.
+
+
The Endian setting affects the order of the bytes.
+
+
Wildcard characters are not supported.
+
+
The byte search pattern is formed by concatenating the bytes from each floating point
+ number.
+
+
The Float format generates floating point numbers in the values table column
+
+
+
+
Examples: (Little Endian)
+
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
3.14
+
+
C3 F5 48 40
+
+
FF FF FF FF
+
+
+
+
+
Examples: (Big Endian)
+
+
+
+
Input String
+
+
Byte Sequence
+
+
Mask Bytes
+
+
+
+
3.14
+
+
40 48 F5 C3
+
+
FF FF FF FF
+
+
+
+
+
+
+
Double:
+
+
+
The Double format allows the user to enter floating point numbers of size 8 bytes.
+
+
+
+
+
The input string is interpreted as a sequence of floating point numbers.
+
+
Each floating point number is converted to 8 bytes.
+
+
The Endian setting affects the order of the bytes.
+
+
Wildcard characters are not supported.
+
+
The byte search pattern is formed by concatenating the bytes from each floating point
+ number.
+
+
The Double format generates floating point numbers in the values table column
Search Memory locates sequences of bytes in program memory. The search is based on a
- value entered as hex numbers, decimal numbers or strings. The byte sequence may contain
- "wildcards" that will match any byte (or possibly nibble). String searching also allows for the
- use of regular expression searches.
-
-
To Search Memory:
-
-
-
From the Tool, select Search
- Memory
+
-
Enter a Hex String in the Value field
- This will create a Hex Sequence for searching.
+
Search Memory
-
Choose "Next" to find the next occurrence
-
- - or -
- Choose "Previous" to find the previous occurrence
-
- - or -
- Choose "Search All" to find all occurrences.
-
-
+
The memory search feature locates sequences of bytes in program memory. The search is
+ based on user entered values which can be specified in a variety of formats such as hex,
+ binary, string, and decimal values. The hex and binary formats support "wildcards" which can
+ match any bit or nibbles depending on the format. String search also supports the use of regular expression searches.
To create a new memory search window, select SearchMemory from the main tool menu or use the default keybinding
+ "S".
+
By default, search windows and their
+ tabs display "Search Memory:" followed by the search string and the program name. This
+ can be changed by right-clicking on the title or table to change its name. (This is true
+ for all transient windows.)
+
Contents
-
Search Value
-
-
-
-
The value to search. The values entered will be interpreted based on the
- Format options.
-
-
-
-
Hex Sequence
-
-
-
-
As the search value is entered, this field will display the exact hex byte sequence
- that will be searched for in memory.
-
-
-
Format
-
-
-
Hex:
-
-
-
-
Value is interpreted as a sequence of hex numbers, separated by spaces. Wildcard
- characters can be used to match any single hex digit (i.e. any 4 bit value). Either
- the '.' or '?' character can be used for the wildcard character.
-
-
Each hex number (separated by spaces) will produce a sequence of bytes that may be
- reversed depending on the Byte Order.
-
-
The byte search pattern is formed by concatenating the bytes from each hex number.
- As a convenience, if a user enters a single wildcard value within the search text, then
- the search string will be interpreted as if 2 consecutive wildcard characters were
- entered, meaning to match any byte value.
-
-
- Similarly, if the search string contains an odd number of characters, then a 0 is prepended
- to the search string, based on the assumption that a single hex digit implies a leading
- 0 value.
-
-
-
-
-
-
-
-
-
-
String:
-
-
-
Value is interpreted as the specified character encoding. The center panel of the
- Search Memory dialog shows the Format Options, described below.
-
-
-
-
-
Encoding - Interprets strings by the specified encoding. Note that
- byte ordering determines if the high order byte comes first or last.
-
-
Case Sensitive - Turning off this option will search for the string
- regardless of case using the specified character encoding. Only applicable for English
- characters.
-
-
Escape Sequences - Enabling this option allows escape sequences in the
- search value (i.e., allows \n to be searched for).
-
-
-
-
Decimal:
-
-
-
Value is interpreted as a sequence of decimal numbers, separated by spaces. The center
- panel of the Search Memory dialog shows the Decimal Options, described below.
-
-
-
-
-
Only numbers that fit the specified Decimal Options are allowed to be entered.
-
-
The byte search pattern is formed by concatenating the bytes from each
- number.
Value is interpreted as a sequence of binary numbers, separated by spaces.
- Wildcard characters ('x' or '?' or '.') can be used to match any bit.
-
+
The Memory Search Window provides controls and options for entering search values and
+ and a table for displaying the search results. It supports both bulk searching and
+ incremental searching forwards and backwards. Also, users can perform additional searches
+ and combine those results with the existing results using set operations. The window also
+ has a "scan" feature which will re-examine the bytes of the current results set, looking
+ for memory changes at those locations (this is most useful when debugging). Scanning has an
+ option for reducing the results to those that either changed, didn't change, were
+ incremented, or were decremented.
-
+
-
-
Only binary digits (0 or 1) or wildcard characters (*?.) are allowed to be
- entered.
+
Memory Search Window
+
-
The byte search pattern is formed by concatenating the bytes from each
- number.
-
-
An additional Mask byte which is not shown, is generated for each search byte to handle
- the wildcards.
-
-
-
Regular Expression:
-
-
-
Value is interpreted as a Java Regular Expression
- that is matched against memory as if all memory was a string. Help on how to form regular
- expressions is available on the Regular Expression
- Help page.
-
-
-
-
-
-
Regular Expressions can only be used to search forward in memory.
-
-
No Hex Sequence is displayed for regular expressions.
-
-
-
-
Memory Block Types
-
-
-
Selects which initialized memory blocks are searched. Ghidra now stores external
- information from the program's file header in special memory blocks. These blocks do not live
- in the program's address space, but instead are stored in the "OTHER" address space. Memory
- blocks which would be found in an actual running version of the program are referred to as
- "Loaded Memory Blocks."
-
-
-
-
Loaded Blocks - will search only "loaded" memory blocks (memory blocks that would
- appear in an actual running instance of the program) and not "Other" information memory
- blocks.
-
-
All Blocks - will search all memory blocks including "Other" blocks.
-
-
-
-
-
-
-
Selection Scope
-
-
-
Search All - If this option is selected, the search will search all memory in the
- tool.
-
-
Search Selection - If this option is selected, the search will be restricted to
- the current selection in the tool. This option is only enabled if there is a current
- selection in the tool.
-
-
-
-
-
Code Unit Scope
-
-
-
Filters the matches based upon the code unit containing a given address.
-
-
-
Instructions - includes instruction code units in the search.
-
-
Defined Data - includes defined data in the search.
-
-
Undefined Data - includes undefined data in the search.
-
-
-
-
Byte Order
-
-
-
Sets the byte ordering for multi-byte values. Has no effect on non-Unicode Ascii
- values, Binary, or regular expressions.
-
-
Little Endian - places low-order bytes first.
- For example, the hex number "1234" will generate the bytes "34" , "12".
-
-
Big Endian - places high-order bytes first.
- For example, the hex number "1234" will generate the bytes "12", "34".
-
-
-
Alignment
-
-
-
Generally the alignment defaults to 1, but can be set to any number greater than 0. The
- search results will be limited to those that begin on the specified byte alignment. In other
- words, an alignment of 1 will get all matching results regardless of the address where each
- begins. An alignment of 2 will only return matching results that begin on a word aligned
- address.
-
-
-
-
-
Searching
-
-
-
Next / Previous - Finds the next/previous occurrence of the byte pattern from the current
- cursor location; if you mouse click in the Code Browser to move focus there, you can choose
- SearchRepeat Memory Search to go to the next/previous match
- found.
For very large Programs that may take a
- while to search, you can cancel the search at any time. For these situations, a progress bar
- is displayed, along with a Cancel button. Click on the Cancel button to stop the search.
-
-
Dismissing the search dialog
- automatically cancels the search operation.
-
-
-
-
-
Highlight Search Option
-
-
-
You can specify that the bytes found in the search be highlighted in the Code Browser by
- selecting the Highlight Search Results checkbox on the Search Options panel. To view
- the Search Options, select Edit
- Tool Options... from the tool menu, then select the Search node in the Options
- tree in the Options dialog. You can also change the highlight color. Click on the color bar
- next to Highlight Color to bring up a color chooser. Choose the new color, click on
- the OK button. Apply your changes by clicking on the OK or Apply button
- on the Options dialog.
-
-
-
Highlights are displayed for the last
- search that you did. For example, if you bring up the Search Program Text dialog and search
- for text, that string now becomes the new highlight string. Similarly, if you invoke cursor text
- highlighting, that becomes the new highlight string.
-
-
-
Highlights are dropped when you close the search dialog, or close the query results window
- for your most recent search.
-
-
-
-
-
-
Search for Matching Instructions
-
-
-
This action works only on a selection of code. It uses the selected instructions to build
- a combined mask/value bit pattern that is then used to populate the search field in the
- Memory Search Dialog. This enables searching through memory for a particular ordering of
- instructions. There are three options available:
-
-
-
Include Operands - All bits that make up the instruction and all bits that make
- up the operands will be included in the search pattern.
-
-
Exclude Operands - All bits that make up the instruction are included in the
- search pattern but the bits that make up the operands will be masked off to enable wild
- carding for those bits.
-
-
Include Operands (except constants) - All bits that make up the instruction are
- included in the search pattern and all bits that make up the operands, except constant
- operands, which will be masked off to enable wild carding for those bits.
-
-
-
-
Example:
-
-
A user first selects the following lines of code. Then, from the Search menu they choose
- Search for Matching Instructions and one of the following options:
-
-
- Option 1:
+
Search Controls
-
If the Include Operands action is chosen then the search will find all
- instances of the following instructions and operands.
+
At the top of the window as shown above, there are several GUI elements for initializing and
+ executing a memory byte search. These controls can be closed from the view after a search
+ to give more space to view results using the toolbar button.
-
+
Search Format Field:
-
All of the bytes that make up the selected code will be searched for exactly, with no
- wild carding. The bit pattern 10000101 11000000 01010110 01101010 00010100
- 01011110 which equates to the byte pattern 85 c0 56 6a 14 5e is searched
- for.
-
-
-
Option 2:
+
+
This is a drop-down list of formats whose selected format determines how to
+ interpret the text in the Search Input Field. The format will convert the user's
+ input into a sequence of bytes (and possibly masks). Details on each format are
+ described in the Search Formats section.
+
+
+
Search Input Field:
+
+
+
Next to the Search Format drop-down, there is a text field where users can
+ enter one or more values to be searched. This field performs validation depending on
+ the active format. For example, when the format is Hex, users can only enter
+ hexadecimal values.
+
+
+
Previous Search Drop Down:
+
+
+
At the end of the input field, there is a drop-down list of previous searches.
+ Selecting one of these will populate the input field with that previous search input,
+ as well as the relevant settings that were used in that search such as the search
+ format.
+
+
+
Search Button:
+
+
+
Pressing the search button will initiate a search. When the results table is empty,
+ the only choice is to do an initial search. If there are current results showing in the
+ table, a drop-down will appear at the back of the button, allowing the user to combine
+ new search results with the existing results using set operations. See the
+ Combining Searches section
+ below for more details.
+
+
+
Byte Sequence Field:
+
+
+
This field is used to show the user the bytes sequence that will be search for based
+ on the format and the user input entered. Hovering on this field will also display the
+ masks that will be used (if applicable).
+
+
+
Selection Only Checkbox:
+
+
+
If there is a current selection, then this checkbox will be enabled and provide the
+ user with the option to restrict the search to only the selected addresses. Note that
+ there is an action that controls whether this option will be selected automatically if
+ a selection exists.
+
+
+
+
Scan Controls
-
If the Exclude Operands option is chosen then the search will find all
- instances of the following instructions only.
+
The scan controls are used to re-examine search results, looking for values that have
+ changed since the search was initiated. This is primary useful when debugging. The
+ scan controls are not showing by default. Pressing the toolbar button will show them along the right side of the
+ window
-
+
-
Only the parts of the byte pattern that make up the instructions will be searched for
- with the remaining bits used as wildcards. The bit pattern 10000101 11...... 01010...
- 01101010 ........ 01011... is searched for where the .'s indicate the wild carded
- values.
-
-
-
Option 3:
+
Memory Search Window With Scan Controls Showing
+
+
Scan Values Button:
+
+
+
This button initiates a scan of the byte values in all the matches in the results
+ table. Depending on the selected scan option, the set of matches in the table may be
+ reduced based on the values that changed.
+
+
+
Scan Option Radio Buttons
+
+
+
One of the following buttons can be selected and they determine how the set of
+ current matches should be reduced based on changed values.
+
+
+
Equals This option will keep all matches whose values haven't changed and
+ remove any matches whose bytes have changed.
+
+
Not Equals This option will keep all matches whose values have changed and
+ will remove any matches whose bytes have not changed.
+
+
Increased This option will keep all matches whose values have increased
+ and will remove any matches whose values decreased or stayed the same.
+
+
Decreased This option will keep all matches whose values have decreased
+ and will remove any matches whose values increased or stayed the same.
+
+
+
The Increased or
+ Decreased options really only make sense for matches that represent numerical
+ values such as integers or floats. In other cases it makes the determination based on
+ the first byte in the sequence that changed, as if they were a sequence of 1 byte
+ unsigned values.
+
+
Another way to see changed bytes is
+ to use the Refresh toolbar action. This will
+ update the bytes for each search result and show them in red without reducing the set
+ of results.
+
+
+
+
Results Table
-
If the Include Operands (except constants) option is chosen then the search
- will find all instances of the instruction and all operands except the 0x14 which is a
- constant.
-
-
-
-
The bit pattern 10000101 11000000 01010110 01101010 ........ 01011110 which
- equates to the byte pattern 85 c0 56 6a xx 5e is searched for where xx can be any
- number N between 0x0 and 0xff.
-
-
+
The bottom part of the window is the search results table. Each row in the table
+ represents one search match. The table can contain combined results from multiple
+ searches. At the bottom of the results table, all the standard table filters are
+ available. The table has the following default columns, but additional columns can be
+ added by right-clicking on any column header.
+
+
+
Location: Displays the address of the first byte in the matching
+ sequence.
+
+
Match Bytes: Displays the bytes of the matching sequence. (Note: if you
+ refresh or scan, the bytes can change. Changed bytes will be displayed in red.)
+
+
Match Value: Displays the matching bytes as a value where the value is
+ determined by the Search Format. Note that not all formats have a meaningful
+ value, in which case the column value will be empty.
+
+
Label: Displays any labels that are present at the match address.
+
+
Code Unit: Displays the instruction or data that the match address.
+
+
+
Options
+
+
+
The options panel is not displayed by default. Pressing the toolbar button will show them along the right side of the
+ window.
+
+
+
+
+
Memory Search Window With Options Open
+
+
Byte Options
+
+
These are general options that affect most searches.
+
+
Endianess: This chooses the byte ordering for values that are larger than
+ one byte. Big Endian orders the bytes most significant first. Little Endian orders the
+ bytes least significant first.
+
Alignment: The alignment requires that matches must start on an address that
+ has an offset that is a multiple of the specified integer field. For example, an
+ alignment of two would require that the address have an even value.
+
+
+
Decimal Options
+
+
+
These options apply when parsing input as decimal values.
+
+
+
Size: The size (in bytes) of the decimal values.
+
+
Unsigned: If checked, the values will be interpreted as unsigned values
+ and the input field won't accept negative values.
+
+
+
+
String Options
+
+
+
These options apply when parsing input as string data.
+
+
+
Encoding: Specified the char set used to convert between strings and
+ bytes. (ASCII, UTF8, or UTF 16)
+
+
Case Sensitive: If unselected, causes mask bytes to be generated such that
+ the search will not be case sensitive. Otherwise, the bytes must match exactly the
+ input the user entered.
+
+
Escape Sequences: Determines if standard escape sequences are interpreted
+ literally or not. For example, if checked, and the user enters "\n", the search will
+ look for an end of line character. If unchecked, the search will look for a "\"
+ followed by an "n". Supported escape sequences include "\n", "\r", "\b", "\f", "\0",
+ "\x##", "\u####", "\U#########".
+
+
+
+
Code Type Filters
+
+
+
These are filters that can be applied to choose what type(s) of code units to
+ include in the results. By default, they are all selected. The types are:
+
+
+
Instructions: Include matches that start at or in an instruction.
+
+
Defined Data: Include matches that start at or in a define data.
+
+
Undefined Data: Include matches that start at or in undefined data.
+
+
+
+
Memory Regions
+
+
+
Choose one or more memory regions to search. The available regions can vary depending
+ on the context, but the default regions are:
+
+
+
Loaded Blocks: These include all the memory blocks defined that are actually
+ part of a loaded executable binary. On by default.
+
+
Other Blocks: These are other than loaded blocks, typically representing
+ file header data. Off by default.
+
+
+
+
+
+
+
+
+
+
Search Formats
+
+
+
The selected format determines how the user input is used to generate a search byte
+ sequence (and possibly mask byte sequence). They are also used to format bytes back into
+ "values" to be displayed in the table, if applicable.
+
+
See the page on Search Formats for full details on each
+ format.
+
+
+
Actions
+
+
+
+
+
Incremental Search Forward
+
+
+
This action searches forward in memory, starting at the address just after the current
+ cursor location. It will continue until a match is found or the highest address in the
+ search space is reached. It does not "wrap". If a match is found, it it is added to the
+ current table of results.
+
+
+
Incremental Search Backwards
+
+
+
This action searches backwards in memory, starting at the address just before the
+ current cursor location. It will continue until a match is found or the lowest address in
+ the search space is reached. It does not "wrap". If a match is found, it it is added to
+ the current table of results.
+
+
+
Refresh
+
+
+
This action will read the bytes again from memory for every match in the results
+ table, looking to see if any of the bytes have changed. If so, the Match Bytes and
+ Match Value columns will display the changed values in red.
This action will create a selection in the associated view from all the currently
+ selected match table rows.
+
+
+
Toggle Single Click
+ Navigation
+
+
+
This action toggles on or off whether a single row selection change triggers
+ navigation in the associated view. If this option is off, the user must double-click on a
+ row to navigate in the associated view.
+
+
+
Delete Selected
+ Table Rows
+
+
+
This action deletes all selected rows in the results match table.
+
+
+
+
Combining Searches
+
+
+
Results from multiple searches can be combined in various ways. These options are only
+ available once you have results in the table. Once results are present, the Search
+ Button changes to a button that has a drop down menu that allows you do decide how you
+ want additional searches to interact with the current results showing in the results table.
+ The options are as follows:
+
+
New Search
+
+
+ This option causes all existing result matches to be replaced with the results of the new
+ search. When this option is selected, the button text will show "New Search".
+
This does not create a new
+ search memory window, but re-uses this window. To create a new
+ search window, you must go back to the search memory action from the main menu.
+
+
+
A union B
+
+
+ This option adds the results from the new search to all the existing result matches. When
+ this option is selected, the button text will show "Add To Search".
+
+
+
A intersect B
+
+
+ This option will combine the results of the new search with the existing search, but only
+ keep results that are in both the existing result set and the new search result set. When
+ this option is selected, the button text will show "Intersect Search".
+
+
+
A xor B
+
+
+ This option will combine the results of the new search with the existing search, but only
+ keep results that are in either the new or existing results, but not both.
+ When this option is selected, the button text will show "Xor Search".
+
+
+
A - B
+
+
+ Subtracts the new results from the existing results. When
+ this option is selected, the button text will show "A-B Search".
+
+
+
B - A
+
+
+ Subtracts the existing results from the new results. When this option is
+ selected, the button text will show "B-A Search".
+
+
+
Many of these set operations only make
+ sense if you do advanced searches using wildcards. For example, if you do a search for
+ integer values of 5, it would make no sense to intersect that with a search for integer
+ values of 3. The sets are mutually exclusive, so the intersection would be empty.
+ Explaining how to take advantage of these options is beyond the scope of this document.
+
+
+
Search Forward/Backwards Using Global Actions
+
+
+
Once at least one search has been executed using the Memory Search Window, the search can be repeated in an
+ incremental fashion outside a search window using global actions in the main tool menu or
+ their assigned default keybindings.
+
+
+
Search Memory Forwards:
+
+
This action will use the input data and settings from the last memory search and begin
+ searching forwards in memory starting at the cursor location in the associated Listing
+ display. If a match is found, the cursor in the Listing will be placed on the found match
+ location. To execute this action, select SearchSearch Memory Forwards from the main tool menu or press
+ F3 (the default keybinding.)
+
+
+
Search Memory Backwards:
+
+
This action will use the input data and settings from the last memory search and begin
+ searching backwards in memory starting at the cursor location in the associated Listing
+ display. If a match is found, the cursor in the Listing will be placed on the found match
+ location. To execute this action, select SearchSearch Memory Backwards from the main tool menu or press
+ <Shift>F3 (the default keybinding.)
+
+
+
Highlight Search Options
+
+
+
You can control how the bytes found in the search be highlighted in the Code Browser by
+ selecting the Highlight Search Results checkbox on the Search Options panel. To view
+ the Search Options, select Edit
+ Tool Options... from the tool menu, then select the Search node in the
+ Options tree in the Options dialog. You can also change the highlight color. Click on the
+ color bar next to Highlight Color to bring up a color chooser. Choose the new color,
+ click on the OK button. Apply your changes by clicking on the OK or
+ Apply button on the Options dialog.
+
+
+
Highlights are displayed for the
+ last search that you did. For example, if you bring up the Search Program Text dialog and
+ search for text, that string now becomes the new highlight string. Similarly, if you
+ invoke cursor
+ text highlighting, that becomes the new highlight string.
+
+
+
Highlights are removed when you close the search window.
+
+
-
The previous operations can only work on a
- single selected region. If multiple regions are selected, the following error dialog
- will be shown and the operation will be cancelled.
The previous operations can only work on a + single selected region. If multiple regions are selected, the following error dialog + will be shown and the operation will be cancelled.
- Memory
By default, search windows and their
+ tabs display "Search Memory:" followed by the search string and the program name. This
+ can be changed by right-clicking on the title or table to change its name. (This is true
+ for all transient windows.)
