问题
I have a memory dump (unmanaged process) . How can I extract (using windbg) one of the dlls loaded into the process ? I mean actually saving the dll file into the disk
回答1:
You can use the sos.dll inside windbg directory.
First, load the sos.dll in windbg:
.load clr10\sos.dll
Then use !sam OR !SaveAllModule to extract the modules on specific disk location:
!sam c:\notepad
回答2:
To extract a DLL without using SOS, use the .writemem extension as follows:
discover the module start and end addresses using
lmvm dllname
example output for ieframe:start end module name61370000 61fb8000 ieframecalculate the length = end-start:
? 61fb8000 - 61370000
output:Evaluate expression: 12877823 = 00c48000then save the DLL as follows:
.writemem C:\tmp\mydll.dll 61370000 L?00c48000
This is unlikely to give you the exact DLL as it was loaded from disk, fixing this up is non-trivial.
(Partly based on this article)
回答3:
Yes, it's true. calc.exe will also pull up its multi user language interface information and attach it in memory, as will a lot of Windows programs like mspaint, photoviewer, etc.
来源:https://stackoverflow.com/questions/1643915/how-can-i-extract-dll-file-from-memory-dump