Windbg: Get image loaded in memory

  • Article

I´m starting a new section called Tips with the goal of showing commands that are very useful when doing memory dump analysis. The first one is on how to get a image loaded into memory to file.

When i´m looking at a managed memory dump almost always there is the need to look inside the code so that I can get a better view on how the application i´m troubleshooting works. Since usually I don´t have access to source code the path to follow is to get the image loaded in memory and save it to disk. Then I use (and I bet that you also know this tool) Lutz fantastic tool .NET Reflector (now acquired by RedGate https://www.red-gate.com/products/reflector/ ).

If you are using sos/psscor extension then there is available the command !SaveModule that allows you to get this file. The syntax is pretty simple help provided by executing !Help !SaveModule is pretty self explanatory.

!SaveModule <Base address> <Filename>

This command allows you to take a image loaded in memory and write it to a file. This is especially useful if you are debugging a full memory dump, and don't have the original DLLs or EXEs. This is most often used to save a managed binary to a file, so you can disassemble the code and browse types with ILDASM.

The base address of an image can be found with the "LM" debugger command:

0:000> lm

start end module name

00400000 00408000 image00400000 (deferred)

10200000 102ac000 MSVCR80D (deferred)

5a000000 5a0b1000 mscoree (deferred)

5a140000 5a29e000 mscorjit (deferred)

5b660000 5c440000 mscorlib_dll (deferred)

5d1d0000 5e13c000 mscorwks (deferred)

...

If I wanted to save a copy of mscorwks.dll, I could run:

0:000> !SaveModule 5d1d0000 c:\pub\out.tmp

4 sections in file

section 0 - VA=1000, VASize=e82da9, FileAddr=400, FileSize=e82e00

section 1 - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00

section 2 - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=600

section 3 - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00

The diagnostic output indicates that the operation was successful. If

c:\pub\out.tmp already exists, it will be overwritten.

!SaveModule <Base address> <Filename>

Now if by any chance you can´t use sos/psscor or you want to get a image from a unmanaged memory dump you can use .WriteMem command to get the job done. All you have to do is get the base address and size of the asembly

The .writemem command writes a section of memory to a file. If you execute .hh .writemem on windbg you will get

 

Syntax:

.writemem FileName Range

Parameters:

FileName

Specifies the name of the file to be created. You can specify a full path and file name, or just the file name. If the file name contains spaces, FileName should be enclosed in quotation marks. If no path is specified, the current directory is used.

Range

Specifies the memory range to be written to the file

Bruno