11

I have a memory dump (unmanaged process) . How can I extract (using windbg) one of the dlls loaded into the process ? I mean actually saving the dll file into the disk

Saar
  • 1,753
  • 6
  • 20
  • 32

3 Answers3

6

You can use the sos.dll inside windbg directory.

First, load the sos.dll in windbg:

.load clr10\sos.dll

Then use !sam OR !SaveAllModule to extract the modules on specific disk location:

!sam c:\notepad
Steve
  • 53,375
  • 33
  • 96
  • 141
4

To extract a DLL without using SOS, use the .writemem extension as follows:

  1. discover the module start and end addresses using lmvm dllname
    example output for ieframe:
    start end module name
    61370000 61fb8000 ieframe

  2. calculate the length = end-start: ? 61fb8000 - 61370000
    output: Evaluate expression: 12877823 = 00c48000

  3. then save the DLL as follows:
    .writemem C:\tmp\mydll.dll 61370000 L?00c48000

This is unlikely to give you the exact DLL as it was loaded from disk, fixing this up is non-trivial.

(Partly based on this article)

riQQ
  • 9,878
  • 7
  • 49
  • 66
deemok
  • 2,735
  • 19
  • 11
  • I tried that but it didn't work. I attached Windbg to Calc.exe and wrote the exe and got a bigger file. Strange. – Saar Oct 31 '09 at 10:43
  • 1
    I guess that's due to discrepancies in alignment - pe32 files take more space in memory than on disk due to larger memory alignment requirements. You need to properly rebuild the executable after it is dumped to meet these rules. Besides, the debug section is not dumped (as it is not mapped, i guess). Import tables also need reconstruction. – deemok Nov 05 '09 at 17:07
-2

Yes, it's true. calc.exe will also pull up its multi user language interface information and attach it in memory, as will a lot of Windows programs like mspaint, photoviewer, etc.

Matt
  • 1