16

First off I am aware of 1. Is it possible to export a dll definition from my AppDomain? 2. Is it possible to save a dynamic assembly to disk? 3. How can I extract DLL file from memory dump?

but none of those seem to answer my question particularly.

Consider the following scenario: a C# application loads a DLL from a memory stream (so the DLL isn't directly exposed to the user). Is there a tool that explicitly allows dumping or exporting that particular DLL from memory to disk in its original form?

Note: I'd like someone to show me a full step-by-step procedure of extracting an intact DLL from the memory dump of a C# application.

Community
  • 1
  • 1
IneedHelp
  • 1,630
  • 1
  • 27
  • 58
  • What format do you have when loading the dll? do you still have a reference to the "Assembly" object, or the byte[]? – Philippe Paré Jul 23 '15 at 19:20
  • Try using MyAssembly.Location ... this gives you a file path that you might be able to read from. I know it's a MemoryStream, but they possibly create a temporary file internally. – Philippe Paré Jul 23 '15 at 19:34
  • @PhilippeParé The path to the assembly will never be accessible to the user. I am interested to know the exact method of extracting the loaded DLL files from the process allocated memory or from the memory dump. – IneedHelp Jul 24 '15 at 00:16
  • I'm sorry but I think that's impossible. Once you load a library, it loads the symbols. The only way around I could think of is to create a library using the AssemblyBuilder, but that would certainly not yield the original file as you want. There's no way that I know of at least. sorry! – Philippe Paré Jul 24 '15 at 00:22
  • @PhilippeParé Trust me, I'd really love to know for sure that it would be impossible to do so, but Mr Hans Passant (a renown SO user) states otherwise in the first comment. The memory dump does seem to contain a lot of data and I've read about people being able to pull out DLLs from it, but I don't know how to properly do it. – IneedHelp Jul 24 '15 at 00:50
  • It sure is possible to create a dll from data in a program, I'm just unsure you can "extract" the original dll. – Philippe Paré Jul 24 '15 at 22:56

1 Answers1

10

WinDbg with managed debugging extensions is capable of this trick. First, download WinDbg (google microsoft debugging tools for windows, they are not standalone download, but parts of other kits).

The next part is installing the psscor2 extension (from https://www.microsoft.com/en-us/download/details.aspx?id=1073) and extract it to the folder where WinDbg is located.

Next, run your program and attach WinDbg to it (its in the menu). Type the following commands:

  1. .load psscor2
  2. !SaveAllModules c:\modules\

Find the module you want and enjoy.

rkapl
  • 972
  • 6
  • 13
  • I have tested the solution on a random .NET app on my computer and the results were what I expected. However, that app did not probably use `Assembly.Load(byte[])`, but I do not think it should be a problem. Are the assemblies you are interested in at least listed using the `!DumpDomain` command? – rkapl Jul 25 '15 at 14:13
  • I tried it and I get this error: 0:021> !DumpDomain Failed to find runtime DLL (mscorwks.dll), 0x80004005 Extension commands need mscorwks.dll in order to have something to do. – IneedHelp Jul 25 '15 at 15:09
  • Well, `!DumpDomain` works for me. Try running `.loadby sos mscorwks` before `!DumpDomain`. – rkapl Jul 25 '15 at 17:43
  • I switched to 32-bit mode: 0:019> !wow64exts.sw Switched to 32bit mode tried: 0:019:x86> .loadby sos clr The call to LoadLibrary(sos) failed, Win32 error 0n2 "The system cannot find the file specified." and 0:019:x86> .loadby sos mscorwks Unable to find module 'mscorwks' Still not working.. – IneedHelp Jul 25 '15 at 19:51
  • Are you running the 32-bit or 64-bit version of WinDbg? Try the one matching your CLR. Sorry for the complications, there are difficulties with WinDbg/CLR debugging I am not aware of. + I am running on 32-bit machine. – rkapl Jul 26 '15 at 09:15
  • I switched to the 32bit mode using the "!wow64exts.sw" command. – IneedHelp Jul 29 '15 at 01:59
  • There is a difference between running the 32-bit WinDbg and switching 64-bit WinDbg to 32-bit mode. 64-bit WinDbg can not debug 32-bit CLRs, even with those extensions. – rkapl Jul 29 '15 at 06:49
  • For the life of me, I can't find a 32bit version of WinDbg and I really want to try out what you instructed. – IneedHelp Jul 29 '15 at 07:28
  • Either way, thanks for trying to guide me through the process. Cheers! – IneedHelp Jul 29 '15 at 17:46
  • For me, it is in `C:\Program Files\Windows Kits\8.1\Debuggers\x86\windbg.exe` (notice the x86 as oposed to x64). Also your location may vary if you have different kit installed. – rkapl Jul 30 '15 at 08:59
  • I don't have an x86 version in the "C:\Program Files\Windows Kits\8.1\Debuggers\" location, just a x64. – IneedHelp Jul 30 '15 at 11:47