Dumping modules from a memory dump for decompilation


One of my favorite WinDbg commands is the psscor4 SaveAllModules (sam).  I used to just bang that one out and use JustDecompile to look at the code to find out what was going on, like why the process was hanging or consuming more memory than expected.

At the moment psscor4 does not support the most current version of .NET so I needed to find an alternative.

The one I use is the SaveModule command in the SOS.dll, but this only dumps out a specific module, you might say?  Well, execute this script in WinDbg and it will dump them all for you, see Figure 1.

!for_each_module .if ($spat ("${@#ImageName}","*.exe")) { !SaveModule ${@#Base} D:\MemoryDumps\anything\exes\${@#ModuleName}.exe } .else { !SaveModule ${@#Base} D:\MemoryDumps\anything\dlls\${@#ModuleName}.dll }

image

Figure 1, dump out assemblies in WinDbg

Then open up JustDecompile, add the modules and go for it.

Comments (1)

  1. Tomas Restrepo says:

    You could use “!mex.writemodule -a” too.

Skip to main content