PsSearchVirtualMemory

Searches for a pattern in virtual memory.

Syntax

PULSE_STATUS PsSearchVirtualMemory(
 [in] PPS_ENGINE pEngine,
 [in] uint64_t PageTableAddress,
 [in] uint16_t Selector,
 [in] uint64_t StartOffset,
 [in] uint64_t EndOffset,
 [in] void* pPattern,
 [in] uint32_t PatternSize,
 [in] uint32_t SearchStep,
 [in] uint8_t IgnoreGaps,
 [out, optional] uint64_t* pResult
);

Parameters

PPS_ENGINE pEngine

An opaque handle to an engine created by the EngCreateEngine function.

uint64_t PageTableAddress

The target page table root address. This page table is used to perform a page walk for the specified address. The currently loaded page-table address is stored in the CR3 register.

uint16_t Selector

The segment selector value used to convert the virtual address into a linear address.

uint64_t StartOffset

The segment offset at which the search begins.

uint64_t EndOffset

The segment offset at which the search ends.

void* pPattern

The buffer containing the pattern to search for.

uint32_t PatternSize

Specifies the size of the pattern.

uint32_t SearchStep

Specifies the search step size. For example, a search step of 0x1000 checks for the pattern at start, start + 0x1000, start + 2 * 0x1000, and so on.

uint8_t IgnoreGaps

Specifies whether gaps in memory should be ignored. A value of 0 means that the search stops when it encounters an unmapped memory region. A value of 1 means that the search skips unmapped memory regions and continues until EndOffset is reached.

uint64_t* pResult

Receives the address at which the first instance of the search pattern is found.

Return value

If the function succeeds, the return value is PULSE_STATUS_SUCCESS.

If it fails, it returns one of the PULSE_STATUS values. Possible return codes include, but are not limited to, the following:

PULSE_STATUS_INSUFFICIENT_RESOURCES
0xC0000002		 One of the memory allocations failed during initialization.
PULSE_STATUS_TIMEOUT
0xC0000007		 Might happen if
  • Transport I/O timed out.
  • No response was received from the debuggee within the request timeout period.
PULSE_STATUS_NOT_FOUND
0xC0000009		 The pattern was not found.
PULSE_STATUS_INVALID_PARAMETER
0xC0000010		 Might happen if
  • The pEngine parameter is NULL.
  • The pPattern parameter is NULL.
  • SearchStep is 0 while SearchDistance is not.
  • PatternSize is greater than the maximum allowed value (see remarks).
PULSE_STATUS_INVALID_PACKET
0xC0000031		 An invalid or unexpected packet was received in response.
PULSE_STATUS_INVALID_TRANSLATION
0xC0000021		 Virtual to linear address translation failed. This may occur if the effective address exceeds the segment limit or if a memory gap is encountered while the IgnoreGaps parameter is set to 0.
PULSE_STATUS_DEVICE_CONNECTION_LOST
0xC0000308		 The connection to the transport was lost. Try restarting the engine or the transport.

Remarks

The maximum pattern size can be determined using the PsRequestGetMaxSearchPatternSize function.

If StartOffset is greater than EndOffset, the search is performed backward.