·         We can inspect the objects with unmanaged commands:

The reference to an object points to the method table (which is a pointer to the table with the method descriptors) followed by the data of the object. There are 4 other bytes before the pointer to the method table which are the syncblk.

The graph below will show the following info, fields and methods in a different way which will help us understand how an object looks in memory:

0:000> !do 0x01aef338

Name: WindowsApplication1.Form1

MethodTable: 001c6ecc

EEClass: 002d0a30

Size: 352(0x160) bytes



      MT    Field   Offset                 Type VT     Attr    Value Name


7ae75b24  40011e0       80 ...Drawing.Rectangle  1 instance 01aef3b8 displayRect


7b47f3dc  4000011      154 ...dows.Forms.Button  0 instance 01af0398 _Button6


0:000> !DumpVC 7ae75b24 01aef3b8

Name: System.Drawing.Rectangle

MethodTable 7ae75b24

EEClass: 7ae75aac

Size: 24(0x18) bytes



      MT    Field   Offset                 Type VT     Attr    Value Name

79102290  4000462        0         System.Int32  0 instance        0 x

79102290  4000463        4         System.Int32  0 instance        0 y

79102290  4000464        8         System.Int32  0 instance      384 width

79102290  4000465        c         System.Int32  0 instance      352 height


0:000> !DumpMT -md 0x001c6ecc

EEClass: 002d0a30

Module: 001c2c3c

Name: WindowsApplication1.Form1

mdToken: 02000008  (C:\__WORKSHOP\Demos\BuggyNETApp\bin\Debug\WindowsApplication1.exe)

BaseSize: 0x160

ComponentSize: 0x0

Number of IFaces in IFaceMap: 15

Slots in VTable: 399


MethodDesc Table

   Entry MethodDesc      JIT Name

7b05e348   7b4a4668   PreJIT System.Windows.Forms.Form.ToString()


002c1828   001c6d80      JIT WindowsApplication1.Form1.get_Button1()


001cc221   001c6e08     NONE WindowsApplication1.Form1.Run()



 .NET object in memory

