Using info proc mapsounds like a better approach to me.

使用info proc map听起来对我来说是一种更好的方法。

(gdb) info proc map
process 930
Mapped address spaces:

      Start Addr           End Addr       Size     Offset objfile
        0x400000           0x401000     0x1000        0x0 /myapp
        0x600000           0x601000     0x1000        0x0 /myapp
        0x601000           0x602000     0x1000     0x1000 /myapp
  0x7ffff7a1c000     0x7ffff7bd2000   0x1b6000        0x0 /usr/lib64/libc-2.17.so
  0x7ffff7bd2000     0x7ffff7dd2000   0x200000   0x1b6000 /usr/lib64/libc-2.17.so
  0x7ffff7dd2000     0x7ffff7dd6000     0x4000   0x1b6000 /usr/lib64/libc-2.17.so
  0x7ffff7dd6000     0x7ffff7dd8000     0x2000   0x1ba000 /usr/lib64/libc-2.17.so

(gdb) find 0x7ffff7a1c000,0x7ffff7bd2000,"/bin/sh"
0x7ffff7b98489
1 pattern found.
(gdb) x /s 0x7ffff7b98489
0x7ffff7b98489: "/bin/sh"
(gdb) x /xg 0x7ffff7b98489
0x7ffff7b98489: 0x0068732f6e69622f

If you want to search in the whole address space of the process, you need to get the memory mapping for your process & use start address & end address with find command in gdb.

for instance if cat /proc/$PID/mapsshows that your process's virtual memory ranges from 0x08048000 to 0xc0000000 you can search as it follows:

(gdb) find 0x80048000, 0xc0000000, "/bin/sh"

Another way to get the memory mapping of your process is using the gdb's embedded command :

如果要搜索进程的整个地址空间，则需要获取进程的内存映射，并在 gdb 中使用带有 find 命令的起始地址和结束地址。

例如，如果cat /proc/$PID/maps显示您的进程的虚拟内存范围从 0x08048000 到 0xc0000000，您可以按如下

(gdb) find 0x80048000, 0xc0000000, "/bin/sh"

方式进行搜索：另一种获取进程内存映射的方法是使用 gdb 的嵌入式命令：

(gdb) info proc map

Use the findcommand.

使用查找命令。

find [/sn] start_addr, +len, val1 [, val2, …]
find [/sn] start_addr, end_addr, val1 [, val2, …]

Search memory for the sequence of bytes specified by val1, val2, etc. The search begins at address start_addr and continues for either len bytes or through to end_addr inclusive. s and n are optional parameters. They may be specified in either order, apart or together.

s, search query size The size of each search query value.

b bytes

h halfwords (two bytes)

w words (four bytes)

g giant words (eight bytes)

All values are interpreted in the current language. This means, for example, that if the current source language is C/C++ then searching for the string “hello” includes the trailing '\0'.

If the value size is not specified, it is taken from the value's type in the current language. This is useful when one wants to specify the search pattern as a mixture of types. Note that this means, for example, that in the case of C-like languages a search for an untyped 0x42 will search for ‘(int) 0x42' which is typically four bytes.

n, maximum number of finds The maximum number of matches to print. The default is to print all finds.

You can use strings as search values. Quote them with double-quotes ("). The string value is copied into the search pattern byte by byte, regardless of the endianness of the target and the size specification.

The address of each match found is printed as well as a count of the number of matches found.

The address of the last value found is stored in convenience variable ‘$_'. A count of the number of matches is stored in ‘$numfound'.

find [/sn] start_addr, +len, val1 [, val2, …]
find [/sn] start_addr, end_addr, val1 [, val2, …]

在内存中搜索由 val1、val2 等指定的字节序列。搜索从地址 start_addr 开始，并继续搜索 len 字节或一直到 end_addr（含）。s 和 n 是可选参数。它们可以按顺序、分开或一起指定。

s、搜索查询大小每个搜索查询值的大小。

b 字节

h 半字（两个字节）

w 字（四个字节）

g 巨字（8 个字节）

所有值都以当前语言解释。这意味着，例如，如果当前源语言是 C/C++，则搜索字符串“hello”包括尾随的 '\0'。

如果未指定值大小，则取自当前语言中的值类型。当您想要将搜索模式指定为类型的混合时，这很有用。请注意，这意味着，例如，在类 C 语言的情况下，搜索无类型 0x42 将搜索 '(int) 0x42'，通常为四个字节。

n, 最大查找数 要打印的最大匹配数。默认是打印所有发现。

您可以使用字符串作为搜索值。用双引号 (") 引用它们。无论目标的字节顺序和大小规范如何，字符串值都会逐字节复制到搜索模式中。

打印找到的每个匹配项的地址以及找到的匹配项数。

找到的最后一个值的地址存储在便利变量“$_”中。匹配数量的计数存储在“$numfound”中。