在windbg中通过s 命令在内存中查找字符串或者关键字节码信息
0:005> s -u 00c00000 L1000000 "你好 20:15 2012/6/620:15 2012/6/6" 01960d28 4f60 597d 0020 0032 0030 003a 0031 0035 `O}Y .2.0.:.1.5.
查看内存01960d28
01960d28 00 00 00 00 00 00 00 00 30 00 3a 00 31 00 35 00 20 00 ........0.:.1.5. . 01960d3a 32 00 30 00 31 00 32 00 2f 00 36 00 2f 00 36 00 32 00 2.0.1.2./.6./.6.2. 01960d4c 30 00 3a 00 31 00 35 00 20 00 32 00 30 00 31 00 32 00 0.:.1.5. .2.0.1.2. 01960d5e 2f 00 36 00 2f 00 36 00 00 00 00 00 00 00 00 00 00 00 /.6./.6...........
找到内容之后通过ba设置访问断点在任何函数访问该内存时将会中断
0:005> ba r4 01960d28 0:005> bl 0 du 0001 (0001) (@@masm(`ItemOperation.cpp:60+`)) 1 e 01960d28 r 4 0001 (0001) 0:**** 2 e 771c3540 0001 (0001) 0:**** ntdll!DbgBreakPoint
如此在程序访问该地址时将会中断到调试器
0:005> g Breakpoint 1 hit eax=019607d0 ebx=00000023 ecx=00000003 edx=0000002c esi=019607d0 edi=01960cd0 eip=76d29c9c esp=000fefa4 ebp=000fefa8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msvcrt!_VEC_memcpy+0x125: 76d29c9c 660f7f4760 movdqa xmmword ptr [edi+60h],xmm0 ds:0023:01960d30=003100300032002000350031003a0030
当然也可以根据自身需要查找相应的其他内容来实现设置相应的访问断点