Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory.

The parameters are:


.writemem <filename> <range>


Here is an example:


0:026> lm

start    end        module name

00400000 00427000   mtgdi      (deferred)            

5a700000 5acaf000   mfc90d     (deferred)            

63df0000 63f13000   MSVCR90D   (deferred)            

71270000 71283000   dwmapi     (deferred)            

72cf0000 72d70000   UxTheme    (deferred)            

73470000 73475000   MSIMG32    (deferred)            

73b90000 73b9d000   MFC90ENU   (deferred)            

74fd0000 75053000   COMCTL32   (deferred)            

751d0000 751dc000   CRYPTBASE   (deferred)            

751e0000 75240000   SspiCli    (deferred)            

75240000 75259000   sechost    (deferred)            

75260000 75ea6000   SHELL32    (deferred)            

75ee0000 75f8c000   msvcrt     (deferred)            

75fd0000 76060000   GDI32      (deferred)            

76150000 76250000   kernel32   (deferred)            

76250000 762ed000   USP10      (deferred)            

763b0000 76410000   IMM32      (deferred)            

76410000 7649f000   OLEAUT32   (deferred)            

764a0000 764e4000   KERNELBASE   (deferred)            

765c0000 766b0000   RPCRT4     (deferred)            

766b0000 76733000   CLBCatQ    (deferred)            

76a00000 76aa0000   ADVAPI32   (deferred)            

76ce0000 76d37000   SHLWAPI    (deferred)            

76f40000 77040000   USER32     (deferred)            

77040000 7710c000   MSCTF      (deferred)            

77110000 7726b000   ole32      (deferred)            

77640000 7764a000   LPK        (deferred)            


Now let’s save the MFC90ENU.DLL above.


0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 (73b9d000 – 0x1)

Writing d000 bytes……………………..


Note the “- 0x1” above. If you don’t do that, the command will fail because the debugger will try to write from the base address to and including the end address.


Another approach you can use is to get the size of the module and use it as one of the parameters:


0:026> ? 73b9d000 – 73b90000


Evaluate expression: 53248 = 0000d000


0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 L 0000d000

Writing d000 bytes……………………..




Comments (1)

  1. G33kKahuna says:

    Can you show a sample dump of MFC90ENU.dll? and explain the output? and how to make it human friendly?