Special Command—Displaying Information From Modules/DLLs with !dlls


!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using.



The WinDbg help file describes all parameters. Here we are going to show the most common usage.


 



Displays file headers and section headers:


 



!dlls –a




 


0:801> !dlls –a



 


0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe


      Base   0x00400000  EntryPoint  0x00411929  Size        0x00027000


      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_ENTRY_PROCESSED



File Type: EXECUTABLE IMAGE


FILE HEADER VALUES


     14C machine (i386)


       6 number of sections


48785A80 time date stamp Sat Jul 12 00:17:20 2008



       0 file pointer to symbol table


       0 number of symbols


      E0 size of optional header


     103 characteristics


            Relocations stripped


            Executable


            32 bit word machine



OPTIONAL HEADER VALUES


     10B magic #


    9.00 linker version


    C400 size of code


    7C00 size of initialized data


       0 size of uninitialized data


   11929 address of entry point


    1000 base of code


    1000 base of data


         —– new —–


00400000 image base


    1000 section alignment


     200 file alignment


       2 subsystem (Windows GUI)


    5.00 operating system version


    0.00 image version


    5.00 subsystem version


   27000 size of image


     400 size of headers


       0 checksum


00100000 size of stack reserve


00001000 size of stack commit


00100000 size of heap reserve


00001000 size of heap commit


00400100 Opt Hdr


       0 [       0] address [size] of Export Directory


   23000 [      8C] address [size] of Import Directory


   25000 [    1E7C] address [size] of Resource Directory


       0 [       0] address [size] of Exception Directory


       0 [       0] address [size] of Security Directory


       0 [     101] address [size] of Base Relocation Directory


   1E940 [      1C] address [size] of Debug Directory


       0 [       0] address [size] of Description Directory


       0 [       0] address [size] of Special Directory


       0 [       0] address [size] of Thread Storage Directory


       0 [       0] address [size] of Load Configuration Directory


       0 [       0] address [size] of Bound Import Directory


   23884 [     7F8] address [size] of Import Address Table Directory


       0 [       0] address [size] of Reserved Directory


       0 [       0] address [size] of Reserved Directory


       0 [       0] address [size] of Reserved Directory




SECTION HEADER #1


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)



SECTION HEADER #2


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)



SECTION HEADER #3


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)



SECTION HEADER #4


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)



SECTION HEADER #5


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)



SECTION HEADER #6


         name


       0 virtual size


       0 virtual address


       0 size of raw data


       0 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


       0 flags


         (no align specified)


 


 




Displays version numbers:



 


!dlls –v



 


0:801> !dlls -v



 


0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe


      Base   0x00400000  EntryPoint  0x00411929  Size        0x00027000


      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_ENTRY_PROCESSED


      Product Name       MTGDI Application


      Product Version    1, 0, 0, 1


      Original Filename  MTGDI.EXE


      File Description   MTGDI MFC Application


      File Version       1, 0, 0, 1



0x00543628: C:\Windows\SysWOW64\ntdll.dll


      Base   0x77630000  EntryPoint  0x00000000  Size        0x00180000


      Flags  0x80004004  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_IMAGE_DLL


             LDRP_ENTRY_PROCESSED


      Company Name       Microsoft Corporation


      Product Name       Microsoft® Windows® Operating System


      Product Version    6.1.7100.0


      Original Filename  ntdll.dll


      File Description   NT Layer DLL


      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)



0x005439a8: C:\Windows\syswow64\kernel32.dll


      Base   0x769d0000  EntryPoint  0x769e3e8a  Size        0x00100000


      Flags  0x80084004  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_IMAGE_DLL


             LDRP_ENTRY_PROCESSED


             LDRP_PROCESS_ATTACH_CALLED


      Company Name       Microsoft Corporation


      Product Name       Microsoft® Windows® Operating System


      Product Version    6.1.7100.0


      Original Filename  kernel32


      File Description   Windows NT BASE API Client DLL


      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)



0x00543ac0: C:\Windows\syswow64\KERNELBASE.dll


      Base   0x76ad0000  EntryPoint  0x76ad563f  Size        0x00044000


      Flags  0x80084004  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_IMAGE_DLL


             LDRP_ENTRY_PROCESSED


             LDRP_PROCESS_ATTACH_CALLED


      Company Name       Microsoft Corporation


      Product Name       Microsoft® Windows® Operating System


      Product Version    6.1.7100.0


      Original Filename  Kernelbase


      File Description   Windows NT BASE API Client DLL


      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)


 


 



Using Module Address to display information from a specific dll:



 


!dlls –c <moduleAddress>



 


0:801> !dlls -c 63390000


 



Dump dll containing 0x63390000:


0x00544998: C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\MSVCR90D.dll


      Base   0x63390000  EntryPoint  0x633cc6f0  Size        0x00123000


      Flags  0x90084004  LoadCount   0x0000ffff  TlsIndex    0x00000000


             LDRP_IMAGE_DLL


             LDRP_ENTRY_PROCESSED


             LDRP_PROCESS_ATTACH_CALLED


             LDRP_REDIRECTED


 


 


 

Comments (2)

  1. Manikanth says:

    how can we read the output of !dlls -v programatically ?

  2. You'll need to create a script for that.

    This is an example of what I mean:

    blogs.msdn.com/…/windbg-script-displaying-the-com-object-referenced-by-an-rcw-object.aspx

    Thanks,

    Roberto