How can I programmatically find a suitable region to reload an unloaded module without overlap?

Question

I am working on a windbg extension for dump analysis that requires symbols from unloaded modules. I'm using the function IDebugSymbols3::Reload, which is analogous to the .reload command. In the case that the region originally occupied by the module is no longer available, I must explicitly specify a new base address to load into.

If I were manually debugging, I would probably use the !address extension to list free regions and look for one that was large enough. How I can programmatically find an appropriate location in the target's address space to use?

Answer 1

GetNumberModules(), for count of loaded and unloaded modules
GetModuleParameters in a loop for base and size

or maybe IDebugDataSpaces2::QueryVirtual

#include <engextcpp.cpp>
#define MAX_MOD 0x100
class EXT_CLASS : public ExtExtension
{
public:
    EXT_COMMAND_METHOD(getoff);
};
EXT_DECLARE_GLOBALS();
EXT_COMMAND(getoff,"","")
{
    ULONG Loaded = 0;
    ULONG UnLoaded = 0;
    m_Symbols->GetNumberModules(&Loaded,&UnLoaded);
    Out("No of Loaded Modules =%u\n" ,Loaded);
    Out("No of UnLoaded Modules =%u\n" ,UnLoaded);
    DEBUG_MODULE_PARAMETERS Mdprm[MAX_MOD] = {0}; //fix
    if(Loaded < MAX_MOD) 
    {
        for(ULONG i=0;i< Loaded;i++)
        {
            m_Symbols->GetModuleParameters(1,NULL,i,&Mdprm[i]);            
            Out("Base&Size Mod %2u %16I64x %8x\n",i,Mdprm[i].Base,Mdprm[i].Size);
        }
    }    
}

compiled and linked with vs2017 dev cmd prompt on win7 x86 using 18362 includes

E:\sdk\getoff>cat complink.bat
cl /LD /nologo /W4 /Ox  /Zi /EHsc /IE:\windjs\windbg_18362\inc %1.cpp /link /EXPORT:DebugExtensionInitialize /Export:%1 /Export:help /RELEASE

resulting in

0:000> .load ./getoff.dll
0:000> !getoff
No of Loaded Modules =38
No of UnLoaded Modules =0
Base&Size Mod  0            90000    28000
Base&Size Mod  1         64ce0000   5e1000
Base&Size Mod  2         656c0000   190000
Base&Size Mod  3         65f80000    82000
Base&Size Mod  4         66010000    dc000
Base&Size Mod  5         662b0000     3000
Base&Size Mod  6         662c0000     5000
Base&Size Mod  7         662d0000     3000
Base&Size Mod  8         662f0000     3000
Base&Size Mod  9         66310000    10000
Base&Size Mod 10         66320000     3000
Base&Size Mod 11         667b0000     3000
Base&Size Mod 12         667c0000     3000
Base&Size Mod 13         66e80000     4000
Base&Size Mod 14         687d0000     4000
Base&Size Mod 15         68820000     4000
Base&Size Mod 16         68830000     3000
Base&Size Mod 17         68840000     3000
Base&Size Mod 18         6a200000     3000
Base&Size Mod 19         6a300000     3000
Base&Size Mod 20         6a340000     3000
Base&Size Mod 21         6a900000    10000
Base&Size Mod 22         6e660000     3000
Base&Size Mod 23         73b30000     4000
Base&Size Mod 24         74510000    2f000
Base&Size Mod 25         74890000     3000
Base&Size Mod 26         756f0000    17000
Base&Size Mod 27         75bc0000    4a000
Base&Size Mod 28         75f10000     a000
Base&Size Mod 29         761f0000    d4000
Base&Size Mod 30         76330000   15c000
Base&Size Mod 31         764d0000    c9000
Base&Size Mod 32         76790000    a1000
Base&Size Mod 33         76840000    9d000
Base&Size Mod 34         778b0000    8f000
Base&Size Mod 35         77940000    ac000
Base&Size Mod 36         779f0000   13c000
Base&Size Mod 37         77b40000    4e000
0:000>