Loading application code from Memory Dump

A memory dump represents all memory taken by the process at a set of time.

Since user code (modules/assemblies) to be executed must be loaded into process, there should be a chance to find them in a snapshot.

Getting started

The entry point on travelling via memory snapshots is SOS Debugging Extension, and I would hope it has something might be useful for us :

SaveModule <Base address> <Filename>

The command writes an image, which is loaded in memory at the specified address, to the specified file.

All is left to find a mystic Base address - place where module is located in memory.

Skipping boring parts

To cut long story short for_each_module command is exactly what we need, thus resulting WinDbg script would look like:

!for_each_module .if ($spat ("${@#ImageName}","*.exe")) { !SaveModule ${@#Base} C:\Dumps\${@#ModuleName}.exe } .else { !SaveModule ${@#Base} C:\Dumps\${@#ModuleName}.dll }

The script would enumerate the modules loaded into the process, and will save them to c:\Dumps\ folder.

Comments

The command does not differentiate between native and managed assemblies, so will save all
ASP.NET will dynamically compile code into modules, thereby dynamically assemblies would also be saved

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Loading application code from Memory Dump

Getting started

Skipping boring parts

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally