Updating .NET String in memory with Windbg
In this post I would show a simple trick to update .NET strings in memory with Windbg. The caveat is make sure the string that you’re updating is long enough to fit into the string buffer. If not there would be a memory corruption.
Here is a simple windows form application with title “Good”
The goal is to update the title from “Good” to “Bad”.
button1.Click += (s,b) => Text = _caption;
I am updating the title in the button click.
Here is the actual string object within the debugger
0:006> !do 0294d0a0 Name: System.String MethodTable: 59b9fb64 EEClass: 598d8bb0 Size: 22(0x16) bytes File: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\ v4.0_18.104.22.168__b77a5c561934e089\mscorlib.dll String: Good Fields: MT Field Offset Type VT Attr Value Name 59ba2b30 40000ed 4 System.Int32 1 instance 4 m_stringLength 59ba1f80 40000ee 8 System.Char 1 instance 47 m_firstChar 59b9fb64 40000ef 8 System.String 0 shared static Empty >> Domain:Value 004b0308:02941228 <<
I would be using the e command to update the memory. The ezu command is used for updating Null-terminated Unicode string .
Notice the first character starts in the 8th offset from the above. So we would have start updating the string only from the 8th offset. The first 8 bytes of object are for syncblock index and method table pointer.
Here is the command to update the string memory.
ezu 0294d0a0+8 “Bad”
And the updated form title.