Special Command—Displaying the PE Header Information with !lmi

  • Article

Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh. The output is summarized.

 

Usage:

 

!lmi <moduleName>

 

Examples:

 

0:532> !lmi mtgdi

 

Loaded Module Info: [mtgdi]

         Module: mtgdi

   Base Address: 00400000

     Image Name: mtgdi.exe

   Machine Type: 332 (I386)

     Time Stamp: 48785a80 Sat Jul 12 00:17:20 2008

           Size: 27000

       CheckSum: 0

Characteristics: 103

Debug Data Dirs: Type Size VA Pointer

             CODEVIEW 3b, 200dc, e8dc RSDS - GUID: {EC1B3DB2-25C1-4337-8676-DFB3C5B1C8C9}

               Age: 3, Pdb: c:\DOWNLOADS\mtgdi\Debug\mtgdi.pdb

     Image Type: FILE - Image read successfully from debugger.

     C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe

    Symbol Type: PDB - Symbols loaded successfully from image path.

                 C:\development\My Tools\Book\mtgdi\Debug\mtgdi.pdb

       Compiler: Resource - front end [0.0 bld 0] - back end [9.0 bld 21022]

    Load Report: private symbols & lines, not source indexed

                 C:\development\My Tools\Book\mtgdi\Debug\mtgdi.pdb

 

0:532> !lmi ole32

 

Loaded Module Info: [ole32]

         Module: ole32

   Base Address: 77110000

   Image Name: C:\Windows\syswow64\ole32.dll

   Machine Type: 332 (I386)

     Time Stamp: 49eea66c Tue Apr 21 22:09:00 2009

           Size: 15b000

       CheckSum: 1607b7

Characteristics: 2102 perf

Debug Data Dirs: Type Size VA Pointer

             CODEVIEW 22, 138b1c, 13831c RSDS - GUID: {D66D525C-3DF2-47C7-AB77-594C4E5E2325}

               Age: 2, Pdb: ole32.pdb

                CLSID 4, 138b18, 138318 [Data not mapped]

     Image Type: FILE - Image read successfully from debugger.

    C:\Windows\syswow64\ole32.dll

    Symbol Type: PDB - Symbols loaded successfully from symbol server.

                 c:\publicsymbols\ole32.pdb\D66D525C3DF247C7AB77594C4E5E23252\ole32.pdb

    Load Report: public symbols , not source indexed

                 c:\publicsymbols\ole32.pdb\D66D525C3DF247C7AB77594C4E5E23252\ole32.pdb

 

Note the Base Address above. You can get the base address from a module using different commands like lm or even dd.

dd is supposed to Display DWORDs but it solves module names.

 

Look:

 

0:532> dd ole32 L1

77110000 00905a4d

 

0:532> dd mtgdi L1

00400000 00905a4d