There is a simple, effective tool from Sysinternals called Strings that examines a binary file for textual strings. If you want to look for strings in the memory of a process, you'll need to get a dump of its memory. That can be accomplished very easily by selecting the process in Task Manager, right-clicking its entry, and choosing "Create dump file." Run the resulting file through strings.exe, optionally with a custom minimum string length specified with -n.
Since most processes (even the simple Notepad) will have lots of strings in their memory, you might want to pipe the output into findstr. Example command:
strings notepad.DMP | findstr Important
That will print every string in the dump file (i.e. process's memory at the time of the dump) that contains the word "Important".
(I am aware of the strings view in the VMMap utility, but it appears to not always work.)
No comments:
Post a Comment