1

I have an executable running on some client. He reports a crash at mymodule.dll!0xaddr. Given that I have the executable, a symbol server, a properly set up WinDbg, is there any way to see the code at location 0xaddr without loading a dump or attaching to a running process?

AndreiM
  • 815
  • 9
  • 17

1 Answers1

5

It depends a bit on what "code" is for you...

  1. Start WinDbg
  2. Choose "Open crash dump ...", not "Open executable ..."
  3. Select the EXE or DLL file of your choice, not a DMP file
  4. Set up your symbols
  5. Type ln mymodule.dll!0xaddr to see what symbol is near that address
  6. Type u mymodule.dll!0xaddr to see the assembler code

If the EXE or DLL has PDB information and WinDbg was able to find the PDB, and if the PDB refers to source (e.g. private symbols), you'll get something useful:

0:000> ln 00412510
[...\addressdemo\addressdemo.cpp @ 8] (00412510)   AddressDemo!main   |  (00412575)   AddressDemo!std::uncaught_exception
Exact matches:

0:000> u 00412510
AddressDemo!main [...\projects\addressdemo\addressdemo.cpp @ 8]:
00412510 55              push    ebp
00412511 8bec            mov     ebp,esp
00412513 81ecc0000000    sub     esp,0C0h
00412519 53              push    ebx
0041251a 56              push    esi
0041251b 57              push    edi
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • 1
    Good tip with selecting EXE or DLL instead of a dump. However, I could not make the command `ln mymodule.dll!0xaddr` or `ln mymodule!0xaddr`. However, I can see the module load address (usually 0x10000000) and `ln 10000000 +0xaddr` works now. Thanks! – AndreiM Dec 05 '18 at 15:08