| description |
|---|
Description of the 'x' command in HyperDbg. |
x
x [Module!Symbol (wildcard string)]
Finds the functions or variables address in the memory based on symbols.
[Module!Symbol (wildcard string)]
Specifies a function or a variable name or a pattern that the symbol must contain. The Symbol can contain a variety of wildcard characters and specifiers. (For more information about the syntax, see Remarks)
In the following example, we searched for the address of the ExAllocatePoolWithTag function in the nt module.
HyperDbg> x nt!ExAllocatePoolWithTag
fffff803`1dbb1030 nt!ExAllocatePoolWithTag
In the following example, we searched for the address of functions (and names) which, starts with ExAllocatePoo in the nt module.
0: kHyperDbg> x nt!ExAllocatePoo*
fffff803`1dbb1030 nt!ExAllocatePoolWithTag
fffff803`1d4421d0 nt!ExAllocatePoolWithQuotaTag
fffff803`1d44fde0 nt!ExAllocatePoolWithTagPriority
fffff803`1d522500 nt!ExAllocatePool
fffff803`1dbb1340 nt!ExAllocatePool3
fffff803`1dbb1280 nt!ExAllocatePool2
fffff803`1d7ad3d0 nt!ExAllocatePoolWithQuota
fffff803`1d45c5c0 nt!ExAllocatePoolEx
fffff803`1dbe9d84 nt!ExAllocatePoolSanityChecks
fffff803`1d4a1070 nt!ExAllocatePoolMm
None
{% hint style="info" %}
The default module is nt. If you don't specify the module name, then nt is selected.
{% endhint %}
These are some examples of wildcard characters supported by this command.
| Value | Meaning |
|---|---|
| foo | Looks for a global symbol (functions, variables) named "foo". |
| foo? | Looks for a global symbol that starts with "foo" and contains one extra character afterward, such as "fool" and "foot". |
| foo!bar* | Looks for a global symbol in "foo" that starts with "bar" and contains extra characters afterward, such as "foo!bar1" and "foo!bar2". |
None
None