4

One can dump all the string using the following command !dumpheap -type System.string

How can dump or print only those string which starts or contains a specific "string"

Example. I am only intrested to view the string which contains "/my/app/request"

Brian Rasmussen
  • 114,645
  • 34
  • 221
  • 317
imasud
  • 171
  • 2
  • 9

4 Answers4

4

Use sosex instead of sos for this. It has a !strings command which allows you to filter strings using the /m:<filter> option.

Brian Rasmussen
  • 114,645
  • 34
  • 221
  • 317
3

Use !sosex.strings. See !sosex.help for options to filter strings based on content and/or length.

Steve Johnson
  • 2,958
  • 13
  • 15
1

Not sure if !dumpheap supports that. You can always use .logopen to redirect the output to a file and post-process that. For a more elegant (and thus more complicated) solution, you can also use .shell to redirect the command output to a shell process for parsing. Here's an example:

http://blogs.msdn.com/b/baleixo/archive/2008/09/06/using-shell-to-search-text.aspx

You can also see the .shell documentation for more details:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff565339(v=vs.85).aspx

snoone
  • 5,409
  • 18
  • 19
  • I was hoping to see if we could use .foreach form !DumpHeap output and only print out the string if it contains a specified string. – imasud Sep 12 '12 at 22:15
  • I tried to use .shell and it works for short strings. On long strings it suffers either from limited string output of the `!do` command or from line breaks of the `du` command. See my answer for a solution without SOSEX. This is my .shell command: `.shell -ci".foreach (string {!dumpheap -short -type System.String}) { du /c80 ${string}+c L80 }" find "mySearchTerm"` – Thomas Weller Dec 27 '13 at 23:18
1

If you really want to go without SOSEX, then try

.foreach (string {!dumpheap -short -type System.String}) { .foreach (search {s -u ${string}+c ${string}+c+2*poi(${string}+8) "mySearchTerm"}) { du /c80 ${string}+c }}

It uses

  • !dumpheap to get all Strings on .NET heap
  • .foreach to iterate over them
  • s to search for a substring
  • .foreach again to find out if s found something
  • some offset calculations to get the first character (+c) of the string and the string length (+8) (multiplied by 2 to get bytes instead of characters). Those need to be adapted in case of 64 bit applications

The /c80 is just for nicer output. You could also use !do ${string} instead of du /c80 ${string}+c if you like the .NET details of the String.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222