Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory.

The parameters are:

 

.writemem <filename> <range>

 

Here is an example:

 

0:026> lm

start end module name

00400000 00427000 mtgdi (deferred)

5a700000 5acaf000 mfc90d (deferred)

63df0000 63f13000 MSVCR90D (deferred)

71270000 71283000 dwmapi (deferred)

72cf0000 72d70000 UxTheme (deferred)

73470000 73475000 MSIMG32 (deferred)

73b90000 73b9d000 MFC90ENU (deferred)

74fd0000 75053000 COMCTL32 (deferred)

751d0000 751dc000 CRYPTBASE (deferred)

751e0000 75240000 SspiCli (deferred)

75240000 75259000 sechost (deferred)

75260000 75ea6000 SHELL32 (deferred)

75ee0000 75f8c000 msvcrt (deferred)

75fd0000 76060000 GDI32 (deferred)

76150000 76250000 kernel32 (deferred)

76250000 762ed000 USP10 (deferred)

763b0000 76410000 IMM32 (deferred)

76410000 7649f000 OLEAUT32 (deferred)

764a0000 764e4000 KERNELBASE (deferred)

765c0000 766b0000 RPCRT4 (deferred)

766b0000 76733000 CLBCatQ (deferred)

76a00000 76aa0000 ADVAPI32 (deferred)

76ce0000 76d37000 SHLWAPI (deferred)

76f40000 77040000 USER32 (deferred)

77040000 7710c000 MSCTF (deferred)

77110000 7726b000 ole32 (deferred)

77640000 7764a000 LPK (deferred)

 

Now let’s save the MFC90ENU.DLL above.

 

0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 (73b9d000 - 0x1)

Writing d000 bytes..........................

 

Note the “- 0x1” above. If you don’t do that, the command will fail because the debugger will try to write from the base address to and including the end address.

 

Another approach you can use is to get the size of the module and use it as one of the parameters:

 

0:026> ? 73b9d000 - 73b90000

 

Evaluate expression: 53248 = 0000d000

 

0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 L 0000d000

Writing d000 bytes..........................