Commands to ListExtract dlls from Memory Dump using WinDbg

  • Article

In this blog, we will look into commands that will help us in listing the modules (or) dlls loaded into your memory dump using WinDbg. Open your memory dump and load sos.dll. We can use lm command to list all loaded/unloaded modules in your dump.

Syntax:

lm Options [a Address] [m Pattern | M Pattern]

Output:

start    end        module name
00600000 00602600 2xcxcnk7 (deferred)             
00800000 00ac5000   xpsp2res   (no symbols)          
01000000 01005000   w3wp       (private pdb symbols)  c:\symsrv\w3wp.pdb\35B93EEEB1524E2C8368E5DAB78748A51\w3wp.pdb
02050000 02052600   jf7rcnjd   (deferred) 

Unloaded modules:
5e320000 5e329000   perfdisk.dll
5e310000 5e318000   perfnet.dll

First Column [start] in the output shows the base/start address at which the module loaded.

Second Column [End] shows the address upto which the module loaded.

Third Column [Module Name] typically shows file name of the module without extension.

Last Column [without Header] shows the path of symbol file, if symbols loaded for that module.

In above output, for module 2xcxcnk7  start is "00600000" and end is "00602600". It means this module extends from "0X00600000" to "0X00602600", inclusive.

We can sort the output based on module name instead of start address using "lmsm". Use "lm 1m" to list only module names and "lm m *s*" to list modules having letter s in its module name.

In order to extract all modules/dlls from your memory dump to a folder, use "!sam c:\myModules" (or) !SaveAllModules c:\myModules.

To extract a specify module, use "!SaveModule startaddress path" as shown below:

!SaveModule 00600000 c:\test.dll

Use "!lmi start-address/Module-Name" command to get detailed information about a module.

!lmi 00600000

!lmi 2xcxcnk7

Output:

Loaded Module Info: [00600000]
         Module: 2xcxcnk7
   Base Address: 00600000
     Image Name: 2xcxcnk7.dll
   Machine Type: 332 (I386)
     Time Stamp: 4f3194b6 Wed Feb 08 02:46:38 2012
           Size: 8000
       CheckSum: 0
Characteristics: 2102 
Debug Directories not present
    Symbol Type: DEFERRED - No error - symbol load deferred
    Load Report: no symbols loaded