Search and promenade memory
The debuggee's memory map (Windows 9x and ME)
The debuggee's memory map (Windows NT, 2000 and XP)
Searching memory
Specifying the search areas
Viewing the search results
Memory promenade
Viewing the promenade results
Excluded areas
Dumping the search/promenade results
Printing the search/promenade results

The debuggee's memory map (Windows 9x and ME)
Shared memory area:-
C0000000h to FFFFFFFFh
(3GB to 4GB)

Memory page tables and page directory
Ring 0 components, handles, event objects, memory contexts etc
Shared memory area:-
80000000h to BFFFFFFFh
(2GB to 3GB)

System Dlls and their heaps
PE Pseudo headers
Memory mapped files
Process and thread databases, thread information block
NE modules for 16-bit and 32-bit executables
Message queues, window lists etc
Debuggee's own address space:-
400000h to 7FFFFFFFh
(4MB to 2GB)

Debuggee's allocated memory heaps
Debuggee's stack
Debuggee's environment
Debuggee's default heap
Debugee's Dlls
Debuggee's own image
Shared memory area:-
0h to 400000h
(0 to 4MB)

Some NE modules for 16-bit executables
Some 16-bit DGROUPs
MS-DOS

The debuggee's memory map (Windows NT, 2000 and XP)
Shared memory area:-
C0800000h to FFFFFFFFh
(to 4GB)

System cache, paged pool, ROM BIOS code and data
Shared user data
Processor control area, register context
System memory area:-
80000000h to C0800000h

Interrupt vector table, descriptor tables, VGA ROM BIOS, Kernel services, Page-directories and tables
Upper guard block:-
7FFEFFFFh to 7FFFFFFFh
64K just below 2GB

No-access region for programs to catch wild pointers caused by common programming errors.
Debuggee's own address space:-
10000h to 7FFEFFFFh
(64K to 2GB less 64K)

Debuggee's allocated memory heaps
Debuggee's stack
Debuggee's environment
Debuggee's default heap
Debuggee's own image
Debuggee's own Dlls
System Dlls used by the debuggee
Lower guard block:-
0h to 10000h
(0 to 64K)

No-access region for programs to catch wild pointers caused by common programming errors.

Searching memory
The menu item, "Inspect, search/promenade memory" produces the search/promenade dialog. You can use this to search the debuggee's address space (and shared memory) for specific strings (numbers or text) which you believe might be in memory somewhere.

Here the user has changed the combo box on the right hand side to "search as Unicode UTF16 string" and has entered the string "section". On clicking "search now" this produces a number of "finds":-

Note that if you are running GoBug under Windows NT/2000/XP, then most strings will be held by the system in Unicode format. The UTF16 format represents most characters as 16-bit words.
If you a running GoBug under Windows 9x or ME, most strings will be held by the system in ANSI format.
You can choose which format to use for the search by dropping down the combo box. You can choose dwords, word or bytes (only relevant for hex numbers), Unicode UTF16, Unicode UTF8 or ANSI.
In some cases you are able to find the string you are actually searching for, held by the system itself.
Remember that this search is of the debuggee's address space and shared memory areas.

Specifying the search areas
Instead of specifying the search area directly in the "Search from" and "to:" combo boxes, you can specify the area more rapidly by switching on the "Get new search area from selection" checkbox. Then you can use the contents of the result box to provide the search area. Use the Crtl and Shft keys with the mouse to highlight the area you wish to search.
In Windows 9x and ME, above 3GB the search tends to be slow. This is because the API VirtualQueryEx seems to work very slowly above that address. Hence you can switch the search on or off above that address.
In Windows NT, 2000 and XP normally you can't search above 2GB.

Viewing the search results
There are two ways to view the memory area which holds a "find".The easiest way is to switch on the "Show search result window" checkbox. This causes a special inspector called a "Search inspector" to appear when a "find" occurs.This inspector has special left/right scroll buttons so that you can rapidly move from one find to the next. The other way to view the memory area which holds a find is to highlight the find in the result box and then click either the "View as data" or "View as code 32" buttons. Use the Crtl or Shft keys to select several areas to view. The "View" buttons create data or code inspectors which normally disappear when the dialog is closed. If you want them to remain as inspector panes, click on "keep any inspectors made".

Memory promenade
The menu item, "Inspect, search/promenade memory" produces the search/promenade dialog. If you click in the "promenade" button, GoBug tests each area of memory starting from zero. GoBug checks whether it is allowed to read the area of memory and if so, it will report the area in the result box.
The results you see will depend on which Windows version you are running GoBug. Under 9x and ME the information tends to be more extensive, because there are more internal areas available to view. Here are some typical results under Windows 98:-

If GoBug recognises the area of memory or its contents it will give more information about it, if not there will be nothing under "Description of Area". GoBug uses the API VirtualQueryEx to check each memory area, and the "address" and "size" columns are from the results of the call. In Windows 9x and ME above 3GB this API works very slowly, which is why you can switch the promenade on or off above that address. In Windows NT, 2000 and XP normally you cannot read memory above 2GB so the switch is set to that value when running GoBug on those systems.

Viewing the promenade results
To view an area of memory shown by the promenade click on the result box and click either "View as data" or "View as code 32". Use the Crtl or Shft keys to select several areas to view. The "View" buttons create data or code inspectors which normally disappear when the dialog is closed. If you want them to remain as inspector panes, click on "keep any inspectors made". While the promenade dialog is open, the data inspectors know a little more about the memory areas than usual. This is because the promenade takes a snapshot of the memory areas using the Toolhelp API. This is temporary information which is lost when the promenade dialog is closed.

Excluded areas
Under Windows 9x and ME, there is no promenade or search between 0A0000h and 0AFFFFh. This is to avoid certain problems which were found when GoBug was under test when trying to read within this memory area.

Here is an explanation for some not so obvious memory areas you will see in the promenade results when running under 9x and ME:-

A PE Pseudo header is a database containing information about a 32-bit executable. The system under 9x and ME creates this database for every loaded 32-bit executable in the format IMAGE_FILE_HEADER (defined in the Microsoft header file Winnt.h). The database is used by the system to find quickly the component parts of the executable. These areas do not exist under NT/2000/XP.

An NE module is a database containing information about the executable, for use by the system. It always starts with the signature "NE" for "New Executable". The system creates NE modules for both 32-bit and 16-bit executables under 9x and ME, but not under NT/2000/XP.

Dumping the search/promenade results
Click on the "dump results" button in the search/promenade dialog. Choose a file name for the dumped file (GoBug will suggest a name). Choose a path for the file to be written (GoBug will remember this for the next time you debug this particular exe). Choose the type of file to make (use ANSI unless you want to make a Unicode file because you are using non-Roman characters in your filenames and section names). The results are always dumped in full. The file which is created on this dump is plain text with carriage returns and line feeds but no tabs. It is usually best to view the dumped file with an editor set to a fixed width font (as opposed to a proportionally spaced font).

Printing the search/promenade results
Click on the "print results" button in the search/promenade dialog. The results are always printed in full (the number of pages appears in the print dialog). You can change the font used for printing by using the "settings, fonts, when printing" menu item.