Using WinDbg to extract the I.P. Address from a System.Net.IPAddress Object


Introduction

If you are looking at a System.Net.IPAddress object in a memory dump in WinDbg and are wondering what I.P. address it actually represents, this post explains how you can get that information nice and quick.

The Details

I was looking at a hang dump today where a custom HTTP module was trying to connect to a remote server and was timing out. I found the System.Net.IPAddress on the stack using !dso and here is what the object looks like :

0:024> !do 0ae055a8
Name: System.Net.IPAddress
MethodTable: 7a77385c
EEClass: 7a773750
Size: 40(0x28) bytes
GC Generation: 0
(C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll)
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
790fc054  40020d7        4         System.Int64  1 instance 552882186 m_Address
790f97f0  40020d8       14        System.String  0 instance 00000000 m_ToString
7a7740c0  40020dc       1c         System.Int32  1 instance        2 m_Family
7912b058  40020dd       18      System.UInt16[]  0 instance 0ae055d0 m_Numbers
790fc054  40020de        c         System.Int64  1 instance 0 m_ScopeId
790fe200  40020df       20         System.Int32  1 instance        0 m_HashCode
7a77385c  40020d3      7bc System.Net.IPAddress  0   shared   static Any
    >> Domain:Value  000d0548:NotInit  1bea0890:06daefc8 <<
7a77385c  40020d4      7c0 System.Net.IPAddress  0   shared   static Loopback
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf00c <<
7a77385c  40020d5      7c4 System.Net.IPAddress  0   shared   static Broadcast
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf050 <<
7a77385c  40020d6      7c8 System.Net.IPAddress  0   shared   static None
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf050 <<
7a77385c  40020d9      7cc System.Net.IPAddress  0   shared   static IPv6Any
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf0b0 <<
7a77385c  40020da      7d0 System.Net.IPAddress  0   shared   static IPv6Loopback
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf110 <<
7a77385c  40020db      7d4 System.Net.IPAddress  0   shared   static IPv6None
    >> Domain:Value  000d0548:NotInit  1bea0890:06daf170 <<

 

Out I.P address is in the m_Address property whose value is 552882186. As you can see, it is not easy to convert 552882186 into a readable I.P. address. In order to identify the I.P. address represented by this value, we’ll have to examine raw memory. As you can see, the address of the object is 0ae055a8 and m_Address property is at the offset 4. This means, that m_Address is at the memory location 0ae055a8 +4 = 0ae055ac. An I.P. address has four parts, and each part is 1 byte (e.g. 192.168.10.50). Let’s examine the memory location 0ae055ac using the db command (dump bytes). Here is the output:

0:024> db 0ae055ac
0ae055ac  0a 50 f4 20 00 00 00 00-00 00 00 00 00 00 00 00  .P. ............
0ae055bc  00 00 00 00 d0 55 e0 0a-02 00 00 00 00 00 00 00  .....U..........
0ae055cc  00 00 00 00 58 b0 12 79-08 00 00 00 00 00 00 00  ....X..y........
0ae055dc  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ae055ec  58 2d 12 79 04 00 00 00-2c 90 0f 79 00 00 00 00  X-.y....,..y....
0ae055fc  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ae0560c  58 2d 12 79 01 00 00 00-5c 38 77 7a a8 55 e0 0a  X-.y....\8wz.U..
0ae0561c  00 00 00 00 58 2d 12 79-00 00 00 00 f0 97 0f 79  ....X-.y.......y

In the above output, 0a 50 f4 20 is out I.P. Address. As this output is HEX, let’s convert this to decimal:

0a = 10

50 = 80

f4 = 244

20 = 32

As you can see, the I.P. address represented by the System.Net.IPAddress object in this case is 10.80.244.32

Hope you find this helpful!

Tehnoon

Comments (1)

Skip to main content