The Address is where we want to start searching from its memory, and it can be both a physical address or a virtual address.
ProcessId is the process that we want to modify based on its memory layout (cr3), it can't be null or zero.
MemoryType shows whether the Address is a physical address or a virtual address.
You can see its values in the following enum :
ByteSize shows whether we want to search the target Address in a byte, dword, or qword format.
The above structure is added on top of an array of 64-bit values, which is the new content to the memory.
For example, if you want to search in the memory address of the target for0x90 0x90 then you should provide an array of 0x0000000000000090 and 0x0000000000000090 and append it to the end of the above structure. The count of these chunks is stored at CountOf64Chunks in the above structure and the final buffer that will be sent into the kernel has a size of FinalStructureSize bytes.
Also, you should provide a buffer (size = MaximumSearchResults * sizeof(UINT64)) as the output buffer, so the kernel-mode module will fill this buffer with a 64-bit array or addresses that match our search results.
You can read the result buffer as an UINT64 array, and if you encounter a null entry, then it means there is no other result.
You can search for as many bytes as you need in byte, dword, and qword formats. Just add the multiple byte(s) values to the end of the command.
In the current implementation of physical memory search, the address should also be available and mapped to the target process's virtual address space.
Physical addresses are not validated in HyperDbg, which means if you access an invalid physical address, then the debuggee halts or crashes.
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.