search
DownloadResearchTutorialhwdbg
githubEdit

db, dc, dd, dq (read virtual memory)

Description of 'db, dc, dd, dq' commands in HyperDbg.

hashtag
Command

db : read memory as Byte values and ASCII characters

dc : read memory as Double-word values (4 bytes) and ASCII characters

dd : read memory as Double-word values (4 bytes)

dq : read memory as Quad-word values (8 bytes)

hashtag
Syntax

db [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

dc [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

dd [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

dq [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

hashtag
Description

Shows the virtual address memory content in hex form.

hashtag
Parameters

[Address (hex)]

The virtual address of where we want to read its memory.

[l Length (hex)] (optional)

The length (byte) in hex format.

[pid ProcessId (hex)] (optional)

The Process ID in hex format that we want to see the memory from its context (cr3).

circle-info

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

triangle-exclamation

In the Debugger Modearrow-up-right, the pid (parameter) is ignored. If you want to view another process memory, use the '.processarrow-up-right' command to switch to another process memory layout.

hashtag
Examples

The following command is used when we want to read the content of memory at nt!Kd_DEFAULT_Mask with length of 0x50from the memory layout view of process (4 a.k.a. system process) in a hex byte format.

The following command is used when we want to read the content of memory at nt!Kd_DEFAULT_Mask+@rax+10 with length of 0x30from the memory layout view of process (4 a.k.a. system process) in a hex byte format.

Note that @rax is 0x10 in this case.

The following command is used when we want to read the content of memory at fffff800`3ad6f010 with length of 0x50 from the memory layout view of process (4 a.k.a. system process) in a hex byte format.

The following example shows the content of memory at fffff800`3ad6f010 from current process layout in a Double-word value (4 bytes) and ASCII characters format.

The following example shows the content of memory at fffff800`3ad6f010 from current process layout in a Double-word values (4 bytes) format with the length of 0x10.

The following example shows the content of memory at fffff800`3ad6f010 from current process layout in a Quad-word values (8 bytes) format.

hashtag
SDK

To read the memory in the target debuggee, you need to use the following function in libhyperdbg:

hashtag
Remarks

  • If you don't specify the length, the default length for HyperDbg is 0x80 Bytes.

circle-exclamation

Please note that you should specify a space between 'l' and the length in HyperDbg. For example, 'l10' is invalid, but 'l 10' is valid. (It's opposed to windbg).

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

hashtag
Requirements

None

hashtag
Related

!db, !dc, !dd, !dq (read physical memory)arrow-up-right

Previousx (examine symbols and find functions and variables address)Nexteb, ed, eq (edit virtual memory)

Last updated