I have a memory dump (unmanaged process) . How can I extract (using windbg) one of the dlls loaded into the process ? I mean actually saving the dll file into the disk
+2
A:
You can use the sos.dll inside windbg directory.
First, load the sos.dll in windbg:
.load clr10\sos.dll
Then use !sam OR !SaveAllModule to extract the modules on specific disk location:
!sam c:\notepad
Steve
2009-10-29 14:09:49
I tried that but it didn't work. I attached Windbg to Calc.exe and wrote the exe and got a bigger file. Strange.
Saar
2009-10-31 10:43:01
I guess that's due to discrepancies in alignment - pe32 files take more space in memory than on disk due to larger memory alignment requirements. You need to properly rebuild the executable after it is dumped to meet these rules. Besides, the debug section is not dumped (as it is not mapped, i guess). Import tables also need reconstruction.
2009-11-05 17:07:56
A:
Yes, it's true. calc.exe will also pull up its multi user language interface information and attach it in memory, as will a lot of Windows programs like mspaint, photoviewer, etc.
Matt
2009-11-11 18:56:38