Windbg: Get image loaded in memory


I´m starting a new section called Tips with the goal of showing commands that are very useful when doing memory dump analysis. The first one is on how to get a image loaded into memory to file.


When i´m looking at a managed memory dump almost always there is the need to look inside the code so that I can get a better view on how the application i´m troubleshooting works. Since usually I don´t have access to source code the path to follow is to get the image loaded in memory and save it to disk. Then I use (and I bet that you also know this tool) Lutz fantastic tool .NET Reflector   (now acquired by RedGate http://www.red-gate.com/products/reflector/ ).


If you are using sos/psscor extension then there is available the command !SaveModule that allows you to get this file. The syntax is pretty simple help provided by executing !Help !SaveModule is pretty self explanatory.


 



!SaveModule <Base address> <Filename>


This command allows you to take a image loaded in memory and write it to a file. This is especially useful if you are debugging a full memory dump, and don't have the original DLLs or EXEs. This is most often used to save a managed binary to a file, so you can disassemble the code and browse types with ILDASM.


The base address of an image can be found with the "LM" debugger command:


0:000> lm


start    end        module name


00400000 00408000   image00400000     (deferred)


10200000 102ac000   MSVCR80D     (deferred)


5a000000 5a0b1000   mscoree      (deferred)


5a140000 5a29e000   mscorjit     (deferred)


5b660000 5c440000   mscorlib_dll     (deferred)


5d1d0000 5e13c000   mscorwks     (deferred)


...


If I wanted to save a copy of mscorwks.dll, I could run:


0:000> !SaveModule 5d1d0000 c:\pub\out.tmp


4 sections in file


section 0 - VA=1000, VASize=e82da9, FileAddr=400, FileSize=e82e00


section 1 - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00


section 2 - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=600


section 3 - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00


 


The diagnostic output indicates that the operation was successful. If


c:\pub\out.tmp already exists, it will be overwritten.


!SaveModule <Base address> <Filename>


 


Now if by any chance you can´t use sos/psscor or you want to get a image from a unmanaged memory dump you can use .WriteMem command to get the job done. All you have to do is get the base address and size of the asembly


The .writemem command writes a section of memory to a file. If you execute .hh .writemem on windbg you will get


 



Syntax:


.writemem FileName Range 


Parameters:


FileName


Specifies the name of the file to be created. You can specify a full path and file name, or just the file name. If the file name contains spaces, FileName should be enclosed in quotation marks. If no path is specified, the current directory is used.


Range


Specifies the memory range to be written to the file


 


Bruno

Skip to main content