Skip to content

Instantly share code, notes, and snippets.

@mentha

mentha/000-lldb-DoFindInMemory-bug-demo.md

Created April 25, 2026 14:50
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mentha/0deeaff4555c7da4601c4a614c4152de to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mentha/0deeaff4555c7da4601c4a614c4152de to your computer and use it in GitHub Desktop.
Download ZIP
Raw
000-lldb-DoFindInMemory-bug-demo.md

lldb DoFindInMemory bug demo

PR

usage

Start the target:

 $ ./target.py
Buffer region: [7f936c800000, 7f936d200000)
PID: 254438

Fire up another terminal and start the debugger:

 $ ./findinmemory.py 254438
Finding b'\x00\x00\x00\xff' (alignment 4) in [0x7f936c800000-0x7f936d200000)
1843026.748021394

The debugger will not finish (at least on my machine with 64GB RAM). It will eventually get killed by OOM.

C-c will not work because the process is stuck in c++ code.

Currently this function is not available through commands, so a standalone python script is required to call it through API.

Raw
findinmemory.py
#!/usr/bin/env python3
from ctypes import c_uint32, alignment
from time import monotonic
import sys
nbytes = 1024**2 * 10
from lldb import *
SBDebugger.Initialize()
debugger: SBDebugger = SBDebugger.Create()
debugger.SetAsync(False)
target: SBTarget = debugger.CreateTargetWithFileAndArch(sys.executable, LLDB_ARCH_DEFAULT)
assert target
error = SBError()
process: SBProcess = target.AttachToProcessWithID(debugger.GetListener(), int(sys.argv[1]), error)
assert process
assert process.GetState() == eStateStopped
buffer_region = None
for region in process.GetMemoryRegions():
region: SBMemoryRegionInfo
if not (region.IsReadable() and region.IsWritable()):
continue
base = region.GetRegionBase()
end = region.GetRegionEnd()
if end - base >= nbytes:
assert buffer_region is None
buffer_region = (base, end)
buffer_addr = SBAddress(buffer_region[0], target)
buffer_range = SBAddressRange(buffer_addr, buffer_region[1] - buffer_region[0])
find_data = c_uint32(0xff000000)
find_align = alignment(find_data)
find_bytes = bytes(find_data)
print(f'Finding {find_bytes} (alignment {find_align}) in {buffer_range}')
print(monotonic())
res = process.FindInMemory(find_bytes, buffer_range, find_align, error)
print(monotonic())
Raw
target.py
#!/usr/bin/env python3
from ctypes import c_uint32, addressof, sizeof, memset
from mmap import mmap, MAP_PRIVATE, MAP_ANONYMOUS
import os
nbytes = 1024**2 * 10 # 10MB buffer
pages = mmap(-1, nbytes, MAP_PRIVATE | MAP_ANONYMOUS, trackfd=False)
size = nbytes // sizeof(c_uint32)
buffer_type = c_uint32 * size
buffer = buffer_type.from_buffer(pages)
memset(addressof(buffer), 0, sizeof(buffer))
buffer[size - 2] = 0x000000ff
buffer[size - 1] = 0xff000000
# {
# ...,
# 0, 0, 0, 0,
# 0xff, 0, 0, 0,
# 0, 0, 0, 0xff
# } on x86_64
print(f'Buffer region: [{addressof(buffer):x}, {addressof(buffer) + nbytes:x})')
print('PID:', os.getpid())
input()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment