Dismiss Notice

Register now to be one of the first members of this SharePoint Community! Click here it just takes seconds!

Dismiss Notice
Welcome Guest from Country Flag

Dumping modules from a memory dump for decompilation

Discussion in 'Official Microsoft News' started by benjaminperkins, Apr 3, 2017.

Thread Status:
Not open for further replies.
  1. benjaminperkins

    benjaminperkins Guest

    Blog Posts:
    One of my favorite WinDbg commands is the psscor4 SaveAllModules (sam). I used to just bang that one out and use JustDecompile to look at the code to find out what was going on, like why the process was hanging or consuming more memory than expected.

    At the moment psscor4 does not support the most current version of .NET so I needed to find an alternative.

    The one I use is the SaveModule command in the SOS.dll, but this only dumps out a specific module, you might say? Well, execute this script in WinDbg and it will dump them all for you, see Figure 1.

    !for_each_module .if ($spat (“${@#ImageName}”,”*.exe”)) { !SaveModule ${@#Base} D:MemoryDumpsanythingexes${@#ModuleName}.exe } .else { !SaveModule ${@#Base} D:MemoryDumpsanythingdlls${@#ModuleName}.dll }


    Figure 1, dump out assemblies in WinDbg

    Then open up JustDecompile, add the modules and go for it.

    Continue reading...
Thread Status:
Not open for further replies.

Share This Page

LiveZilla Live Chat Software