Click here to Skip to main content
15,867,568 members
Articles / Web Development / ASP.NET

NET Debugging: Dump All Strings from a Managed Code Process Running

Rate me:
Please Sign up or sign in to vote.
5.00/5 (11 votes)
3 Nov 2011CPOL3 min read 59.1K   540   50   4
Advanced Debugging Processes

Introduction

Sometimes, we would like to know which critical information is in our process, like bank accounts or credit card numbers because we need to protect this information from malicious people, or just by simple exploration of which internal strings are there. The task is very simple. In the picture, we revealed the hidden text in the password. The procedure is applicable for every single .NET Running Process including IIS Worker Processes.

Final Output Picture

Image 1

System.String class is one of the most used classes in .NET World. I cannot imagine a simple or Enterprise Software that does not use this.

We will use Windows Debugger and a simple script to do this task.

  1. Launch Windbg (The favourite tool that Microsoft Support uses) if you do not have this, please download from Microsoft Site.
  2. Copy the file %windir%\Microsoft.NET\Framework\v2.0.XXXXXX\SOS.DLL to %programfiles%\Debugging tools for windows\.
  3. Execute the sampleApp.exe attached to this mail (This is a dummy sample app.)
  4. Fill username and password, e.g., username=renepa and password= www.xtreemcorp.com
  5. Press OK button.
  6. Return to Windbg and press F6 to Attach a file.
  7. In the process list, choose SampleAPP.exe.
  8. In the Windbg, put the command: .load sos it allows to load the extension SOS.DLL which is a .NET Debugging helper file. It contains a lot of new commands and facilities to debug .Manager Apps.
  9. SOS.DLL contains a very interesting command, !dumpheap, which allows to dump all classes which are in memory. It traverses the .NET Heap and dumps all the allocated objects. It also can be used to detect high memory usage. We will explain this in other articles.
    1. !dumpheap –type System.String This command allow us to dump all the memory addresses for a System.String classes. The output will be:

      Image 2

      Please take a look at this output: Address (The pointer to the String class), MT=Method Table, which is the pointer to the list of methods that System.String supports (We are not going to use MT at this time), and Size of this class.

    2. !dumpheap –type System.String –short: This command will show just the memory addresses for the strings currently in memory.
    3. !do[memoryaddress]: This command will dump the object from memory. Let's explore the second string: e.g.: !do 014d11c8

      Image 3

    4. The string is: C:\blog\dumpstrings\SampleAPP\SampleAPP\bin\Debug\. But we are interested just in the chars itself, not in the complete class. Where are the characters located? Looking a little at the class we found that the m_first char is in the STRING MEMORY ADDRESS+c (Hexadecimal values). We can confirm this by exploring the memory address 014d11c8+c=014d11d4.

      Image 4

    5. This is exactly what we are looking for. The first char of the string is located at: String Class Address + c. Please see in memory that every char for C letter is 43 00. What does this mean? Unicode? YES.
    6. Windbg allows to iterate by each memory address that we dump with !dumpheap –type System.String –short.
    7. Putting everything together in a simple Windbg command:
      1. .foreach (obj {!dumpheap -type System.String -short}) {.printf "\n%mu",${obj}+c}
      2. .foreach = similar to C# foreach
      3. Every single memory address for String will be stored temporary in obj which is a temporal variable depending the iteration.
        1. .printf “\n%mu” prints a Unicode array of chars terminated in NULL
        2. ${obj}+c = address of the first char in the string. Remember why we sum +c to the string pointer.
    1. We got the first picture of this article.

History

  • 1st October, 2009: Initial post
  • 3rd November, 2011: Article updated

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Tester / Quality Assurance
Bolivia Bolivia
Quality Assurance

Comments and Discussions

 
Generalx64 Issue Pin
squawk6-Oct-09 7:10
squawk6-Oct-09 7:10 
GeneralRe: x64 Issue Pin
Rene Pally6-Oct-09 7:42
Rene Pally6-Oct-09 7:42 
QuestionHave you explored other alternatives? Pin
Sandeep Datta5-Oct-09 21:03
Sandeep Datta5-Oct-09 21:03 
AnswerRe: Have you explored other alternatives? Pin
Rene Pally6-Oct-09 3:12
Rene Pally6-Oct-09 3:12 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.