Looking at Strings with VMMap

As I was perusing the Windows Sysinternals Administrator's Reference, I learned about VMMap, a Sysinternals utility that inspects the memory allocations of a running process. One of its features is the Strings dialog, which presents a list of all the text strings (including Unicode) it could find in the loaded images (e.g. EXE, DLL). You can scroll through the list to discover all the things the program could say or think about, like error messages or parseable commands.

I used it on Abiathar and was very interested by the groupings of the texts. It seems the .NET compiler places string literals from the same methods and classes together for the most part. All the possible splash screen messages were together starting at 0x0037BAD8 in the executable file, 0x0086D6D8 in the process address space (but that might move around, I'm not sure). It also sees the strings compiled into the programs and files embedded in Abiathar, like the KeenGraph executable and the game maps files. The .NET compiler seems to write the names of all the methods, even if they're declared Private.

Some strings in Abiathar, from the Level Inspector subroutine

You can download the Sysinternals Suite from its Microsoft TechNet subsite.