!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using.

The WinDbg help file describes all parameters. Here we are going to show the most common usage.

 

Displays file headers and section headers:

 

!dlls –a

 

0:801> !dlls –a

 

0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe

      Base   0x00400000  EntryPoint  0x00411929  Size        0x00027000

      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_ENTRY_PROCESSED

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

     14C machine (i386)

       6 number of sections

48785A80 time date stamp Sat Jul 12 00:17:20 2008

       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

     103 characteristics

            Relocations stripped

            Executable

            32 bit word machine

OPTIONAL HEADER VALUES

     10B magic #

    9.00 linker version

    C400 size of code

    7C00 size of initialized data

       0 size of uninitialized data

   11929 address of entry point

    1000 base of code

    1000 base of data

         ----- new -----

00400000 image base

    1000 section alignment

     200 file alignment

       2 subsystem (Windows GUI)

    5.00 operating system version

    0.00 image version

    5.00 subsystem version

   27000 size of image

     400 size of headers

       0 checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

00400100 Opt Hdr

       0 [       0] address [size] of Export Directory

   23000 [      8C] address [size] of Import Directory

   25000 [    1E7C] address [size] of Resource Directory

       0 [       0] address [size] of Exception Directory

       0 [       0] address [size] of Security Directory

       0 [     101] address [size] of Base Relocation Directory

   1E940 [      1C] address [size] of Debug Directory

       0 [       0] address [size] of Description Directory

       0 [       0] address [size] of Special Directory

       0 [       0] address [size] of Thread Storage Directory

       0 [       0] address [size] of Load Configuration Directory

       0 [       0] address [size] of Bound Import Directory

   23884 [     7F8] address [size] of Import Address Table Directory

       0 [       0] address [size] of Reserved Directory

       0 [       0] address [size] of Reserved Directory

       0 [       0] address [size] of Reserved Directory

SECTION HEADER #1

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #2

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #3

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #4

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #5

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #6

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

 

 

Displays version numbers:

 

!dlls –v

 

0:801> !dlls -v

 

0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe

      Base   0x00400000  EntryPoint  0x00411929  Size        0x00027000

      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_ENTRY_PROCESSED

      Product Name       MTGDI Application

      Product Version    1, 0, 0, 1

      Original Filename  MTGDI.EXE

      File Description   MTGDI MFC Application

      File Version       1, 0, 0, 1

0x00543628: C:\Windows\SysWOW64\ntdll.dll

      Base   0x77630000  EntryPoint  0x00000000  Size        0x00180000

      Flags  0x80004004  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

      Company Name       Microsoft Corporation

      Product Name       Microsoft® Windows® Operating System

      Product Version    6.1.7100.0

      Original Filename  ntdll.dll

      File Description   NT Layer DLL

      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)

0x005439a8: C:\Windows\syswow64\kernel32.dll

      Base   0x769d0000  EntryPoint  0x769e3e8a  Size        0x00100000

      Flags  0x80084004  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

      Company Name       Microsoft Corporation

      Product Name       Microsoft® Windows® Operating System

      Product Version    6.1.7100.0

      Original Filename  kernel32

      File Description   Windows NT BASE API Client DLL

      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)

0x00543ac0: C:\Windows\syswow64\KERNELBASE.dll

      Base   0x76ad0000  EntryPoint  0x76ad563f  Size        0x00044000

      Flags  0x80084004  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

      Company Name       Microsoft Corporation

      Product Name       Microsoft® Windows® Operating System

      Product Version    6.1.7100.0

      Original Filename  Kernelbase

      File Description   Windows NT BASE API Client DLL

      File Version       6.1.7100.0 (winmain_win7rc.090421-1700)

 

 

Using Module Address to display information from a specific dll:

 

!dlls –c <moduleAddress>

 

0:801> !dlls -c 63390000

 

Dump dll containing 0x63390000:

0x00544998: C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\MSVCR90D.dll

      Base   0x63390000  EntryPoint  0x633cc6f0  Size        0x00123000

      Flags  0x90084004  LoadCount   0x0000ffff  TlsIndex    0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

             LDRP_REDIRECTED