There is an array of objects and the goal is to find the biggest ones. DumpArray outputs the record addresses which we may use:
0:014> !DumpArray /d 000001d837b4d860 |
To iterate the addresses, .foreach command can be used:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-foreach
Let’s first write the command which will foreach the !DumpArray command output:
0:014> .foreach (record { !DumpArray /d 000001d837b4d860 }) { .echo ${record} } |
In detail, the script does the following:
- Parses the output of the command. The resulting output is an array of strings. record is the variable name of the array element.
(record { !DumpArray /d 000001d837b4d860 }) |
2. Executes command for each element in the array. ${record} can be used to reference the variable value:
{ .echo ${record} } |
Now our goal is to remove unnecessary lines. It can be done using /pS and /ps parameters.
/pS skips first n records of the array. In our case, we don’t need lines which go before [0] inclusive. There are 22 such records. Parameters use hexadeximal format, so instead of 22 we need to use 16 (0x16).
0:014> .foreach /pS 16 (record { !DumpArray /d 000001d837b4d860 }) { .echo ${record} } |
Looks better, but we still have [n] values. Using /ps parameter, it is possible to take every n-th element in the array. In our case we want to take odd lines. Using 1 for /ps we get only addresses.
0:014> .foreach /pS 16 /ps 1 (record { !DumpArray /d 000001d837b4d860 }) { .echo ${record} } |
And finally, let’s change the .echo command to !objsize to get the size of each record
0:014> .foreach /pS 16 /ps 1 (record { !DumpArray /d 000001d837b4d860 }) { !objsize ${record} } |