Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Modules   (RSS)

Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are: .writemem <filename> <range> Here is an example: 0:026> lm start Read More...
Posted Wednesday, September 23, 2009 12:00 AM by Roberto Farah | 1 Comments

Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you Read More...
Posted Wednesday, September 16, 2009 12:55 AM by Roberto Farah | 3 Comments

Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical. Usage: 0:025> !chksym ntdll ntdll.dll Timestamp: 49EEA706 SizeOfImage: Read More...
Posted Friday, September 04, 2009 6:46 PM by Roberto Farah | 0 Comments

Special Command—Displaying Information From Modules/DLLs with !dlls

!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage. Displays Read More...
Posted Thursday, August 20, 2009 3:10 AM by Roberto Farah | 0 Comments

Special Command—Displaying More PE Header Information with !dh

The !dh extension displays the PE header information from a specified module. Usage: !dh [options] <addressOfModule> Options can be: -f Displays file headers. -s Displays section headers. -a Displays all header information. Example: 0:532> lm Read More...
Posted Thursday, August 20, 2009 3:05 AM by Roberto Farah | 0 Comments

Special Command—Displaying the PE Header Information with !lmi

Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh . The output is summarized. Usage: !lmi <moduleName> Examples: 0:532> !lmi mtgdi Loaded Module Info: Read More...
Posted Thursday, August 20, 2009 2:59 AM by Roberto Farah | 0 Comments

Special Command—Peeking Memory Addresses Using !address

Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. Read More...
Posted Tuesday, March 17, 2009 11:10 PM by Roberto Farah | 2 Comments

Special Command—Parsing Strings, Files, and Commands Output Using .foreach

This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command. It’s powerful because it’s flexible. You can use it for a huge variety of operations. The .foreach token parses the output of Read More...
Posted Thursday, March 12, 2009 1:41 AM by Roberto Farah | 1 Comments

Special Command—Use lm* and Get All Details from Modules

Yet another basic and useful command: lm . Hmmmmm… OK so you already know this command. Great! But do you know all of its variations? Usually when we get used to a command we don’t try to explore its variations and sometimes one of these variations may Read More...
Posted Wednesday, April 16, 2008 7:09 PM by Roberto Farah | 3 Comments

Special Command—Searching the Call Stack for Symbols or Modules Using !findstack

During your debugging session, you may find yourself trying to identify if a specific symbol or module appears in one or more threads. There’s more than one way to do that, and here I covert it in the simplest way: !findstack This command accepts the Read More...
Posted Tuesday, April 08, 2008 5:06 AM by Roberto Farah | 0 Comments

Special Command: Using s to Explore The Memory

Very often I found myself scanning the stack or the entire virtual memory for the process to find information that may help me. This information may be strings, DWORDS, bytes, chars, etc… To accomplish this you should use the s command. Here I exemplify Read More...
Posted Tuesday, March 11, 2008 5:58 PM by Roberto Farah | 1 Comments

[PowerShell Script] Saving a Module from a .NET Method Call

This is my first script using the PowerDbg functions. It’s a good example of how to use PowerDbg to build your own scripts. PowerDbgScriptSaveModule . ps1 is the PowerShell version of my Windbg script Save_Module.txt Actually it does more than the previous Read More...
Posted Thursday, September 06, 2007 12:06 AM by Roberto Farah | 10 Comments

[Windbg Script] Saving a Module - Extracting Base Address and Image Name from a method call

After creating this script, I have used it in almost every case that requires decompilation, and I guess you are going to use it, too. This script gives you the base address and module name, so you can use !SaveModule from SOS to save the module. Ok… Read More...
Posted Monday, July 02, 2007 7:12 PM by Roberto Farah | 5 Comments
Filed under: ,
 
Page view tracker