根据堆栈对应的地址查找其对应的Module ID,然后将对应的Module保存。

!IP2MD 命令从托管函数中获取 MethodDesc 结构地址。

!dumpmodule 1caa50 下面的命令显示有关在地址 1caa50 处的模块的信息。
 
!SaveModule <基址> <文件名> 将加载到内存中指定地址的图像写入指定文件。
 
IP2MD帮助信息
  1. :> !help IP2MD
  2. -------------------------------------------------------------------------------
  3. !IP2MD <Code address>
  4.  
  5. Given an address in managed JITTED code, IP2MD attempts to find the MethodDesc
  6. associated with it. For example, this output from K:
  7.  
  8.     :> K
  9.     ChildEBP RetAddr
  10.     00a79c78 03ef02ab image00400000!Mainy.Top()+0xb
  11.     00a79c78 03ef01a6 image00400000!Mainy.Level(Int32)+0xb
  12.     00a79c78 5d3725a1 image00400000!Mainy.Main()+0xee
  13.     0012ea04 5d512f59 clr!CallDescrWorkerInternal+0x30
  14.     0012ee34 5d7946aa clr!CallDescrWorker+0x109
  15.  
  16.     :> !IP2MD 03ef01a6
  17.     MethodDesc:   00902f40
  18.     Method Name:  Mainy.Main()
  19.     Class:        03ee1424
  20.     MethodTable:  009032d8
  21.     mdToken:      0600000d
  22.     Module:       001caa38
  23.     IsJitted:     yes
  24.     CodeAddr:     03ef00b8
  25.     Transparency: Critical
  26.     Source file:  c:\Code\prj.mini\exc.cs @ 
  27.  
  28. We have taken a return address into Mainy.Main, and discovered information
  29. about that method. You could run !U, !DumpMT, !DumpClass, !DumpMD, or
  30. !DumpModule on the fields listed to learn more.
  31.  
  32. The "Source line" output will only be present if the debugger can find the
  33. symbols for the managed module containing the given <code address>, and if the
  34. debugger is configured to load line number information.

dumpmodule帮助信息

  1. :> !help dumpmodule
  2. -------------------------------------------------------------------------------
  3. !DumpModule [-mt] <Module address>
  4.  
  5. You can get a Module address from !DumpDomain, !DumpAssembly and other
  6. functions. Here is sample output:
  7.  
  8.     :> !DumpModule 1caa50
  9.     Name: C:\pub\unittest.exe
  10.     Attributes: PEFile
  11.     Assembly: 001ca248
  12.     LoaderHeap: 001cab3c
  13.     TypeDefToMethodTableMap: 03ec0010
  14.     TypeRefToMethodTableMap: 03ec0024
  15.     MethodDefToDescMap: 03ec0064
  16.     FieldDefToDescMap: 03ec00a4
  17.     MemberRefToDescMap: 03ec00e8
  18.     FileReferencesMap: 03ec0128
  19.     AssemblyReferencesMap: 03ec012c
  20.     MetaData start address:  ( bytes)
  21.  
  22. The Maps listed map metadata tokens to CLR data structures. Without going into
  23. too much detail, you can examine memory at those addresses to find the
  24. appropriate structures. For example, the TypeDefToMethodTableMap above can be
  25. examined:
  26.  
  27.     :> dd 3ec0010
  28.     03ec0010    0090320c 0090375c
  29.     03ec0020  009038ec ...
  30.  
  31. This means TypeDef token  maps to a MethodTable with the value 0090320c. You
  32. can run !DumpMT to verify that. The MethodDefToDescMap takes a MethodDef token
  33. and maps it to a MethodDesc, which can be passed to !DumpMD.
  34.  
  35. There is a new option "-mt", which will display the types defined in a module,
  36. and the types referenced by the module. For example:
  37.  
  38.     :> !dumpmodule -mt 1aa580
  39.     Name: C:\pub\unittest.exe
  40.     ...<etc>...
  41.     MetaData start address: 0040220c ( bytes)
  42.  
  43.     Types defined in this module
  44.  
  45.           MT    TypeDef Name
  46.     --------------------------------------------------------------------------
  47.     030d115c 0x02000002 Funny
  48.     030d1228 0x02000003 Mainy
  49.  
  50.     Types referenced in this module
  51.  
  52.           MT    TypeRef Name
  53.     --------------------------------------------------------------------------
  54.     030b6420 0x01000001 System.ValueType
  55.     030b5cb0 0x01000002 System.Object
  56.     030fceb4 0x01000003 System.Exception
  57.     0334e374 0x0100000c System.Console
  58.     03167a50 0x0100000e System.Runtime.InteropServices.GCHandle
  59.     0336a048 0x0100000f System.GC

SaveModule帮助信息

  1. :> !help SaveModule
  2. -------------------------------------------------------------------------------
  3. !SaveModule <Base address> <Filename>
  4.  
  5. This command allows you to take a image loaded in memory and write it to a
  6. file. This is especially useful if you are debugging a full memory dump, and
  7. don't have the original DLLs or EXEs. This is most often used to save a managed
  8. binary to a file, so you can disassemble the code and browse types with ILDASM.
  9.  
  10. The base address of an image can be found with the "LM" debugger command:
  11.  
  12.     :> lm
  13.     start    end        module name
  14.         image00400000     (deferred)
  15.      102ac000   MSVCR80D     (deferred)
  16.     5a000000 5a0b1000   mscoree      (deferred)
  17.     5a140000 5a29e000   clrjit     (deferred)
  18.     5b660000 5c440000   mscorlib_dll     (deferred)
  19.     5d1d0000 5e13c000   clr     (deferred)
  20.     ...
  21.  
  22. If I wanted to save a copy of clr.dll, I could run:
  23.  
  24.     :> !SaveModule 5d1d0000 c:\pub\out.tmp
  25.      sections in file
  26.     section  - VA=, VASize=e82da9, FileAddr=, FileSize=e82e00
  27.     section  - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00
  28.     section  - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=
  29.     section  - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00
  30.  
  31. The diagnostic output indicates that the operation was successful. If
  32. c:\pub\out.tmp already exists, it will be overwritten.

以下为一次获取dll文件的全过程

  1. :> .load E:\dump\sos
  2. :> !clrstack
  3. OS Thread Id: 0x10968 ()
  4.         Child SP               IP Call Site
  5. 0000000008e8c9d0 000007fef46779b1 *** WARNING: Unable to verify checksum for System.Data.ni.dll
  6. System.Data.RBTree`[[System.Int32, mscorlib]].IncreaseSize(Int32)
  7. 0000000008e8ca00 000007fef467744a System.Data.RBTree`[[System.Int32, mscorlib]].RBInsert(Int32, Int32, Int32, Int32, Boolean)
  8. 0000000008e8ca80 000007fef467497c System.Data.Index.InitRecords(System.Data.IFilter)
  9. 0000000008e8cb10 000007fef46746cf System.Data.Index..ctor(System.Data.DataTable, System.Data.IndexField[], System.Comparison`, System.Data.DataViewRowState, System.Data.IFilter)
  10. 0000000008e8cbc0 000007fef466b838 System.Data.DataTable.GetIndex(System.Data.IndexField[], System.Data.DataViewRowState, System.Data.IFilter)
  11. 0000000008e8cc50 000007fef467442f System.Data.DataView.UpdateIndex(Boolean, Boolean)
  12. 0000000008e8cd00 000007fef4674191 System.Data.DataView.SetIndex2(System.String, System.Data.DataViewRowState, System.Data.IFilter, Boolean)
  13. 0000000008e8ce10 000007fef4b173f3 System.Data.DataView..ctor(System.Data.DataTable)
  14. 0000000008e8ce50 000007fe9ace32ba *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.LSPub.Common.dll
  15. *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.LSPub.Common.dll
  16. XXXXXXXXX.Drp.LS.Common.DataTableCompressWithSurrogateLS.GZipCompressDataTableWithSurrogate(System.Data.DataTable, Int32)
  17. 0000000008e8cf00 000007fe9ace2e78 XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)
  18. 0000000008e8cf90 000007fe9acda622 *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.Biz.dll
  19. *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.Biz.dll
  20. XXXXXXXXX.Drp.Biz.Service.BaseReferBillSrv.GetReferInfo(System.String, System.String, System.String, System.String, System.String, System.String, Boolean, Int32, Int32, Int32)
  21. 0000000008e8d2d0 000007fef8beafb3 [DebuggerU2MCatchHandlerFrame: 0000000008e8d2d0]
  22. 0000000008e8d5e8 000007fef8beafb3 [HelperMethodFrame_PROTECTOBJ: 0000000008e8d5e8] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
  23. 0000000008e8d760 000007fef7ac2e8c System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:\dd\ndp\clr\src\BCL\System\Reflection\MethodInfo.cs @ ]
  24. 0000000008e8d7d0 000007fef7ac05b3 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:\dd\ndp\clr\src\BCL\System\Reflection\MethodInfo.cs @ ]
  25. 0000000008e8d850 000007fe9a0f2705 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RestfulService.dll
  26. XXXXXXXXX.Platform.AppFramework.Service.GSPRestfulContext.Invoke(System.String, System.String, System.String, Boolean, System.String[], Int32[] ByRef, System.String[] ByRef)
  27. 0000000008e8d910 000007fe9a0f2088 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RESTFulWebService.dll
  28. XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.Invoke(System.IO.BinaryReader, System.Web.HttpContext)
  29. 0000000008e8da10 000007fe9a0f1599 XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.ProcessRequest(System.Web.HttpContext)
  30. 0000000008e8db50 000007fef1aab401 *** WARNING: Unable to verify checksum for System.Web.ni.dll
  31. System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  32. 0000000008e8dc30 000007fef1a725c5 System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef)
  33. 0000000008e8dcd0 000007fef2316528 System.Web.HttpApplication+ApplicationStepManager.ResumeSteps(System.Exception)
  34. 0000000008e8dd80 000007fef21ff503 System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext, System.AsyncCallback, System.Object)
  35. 0000000008e8dde0 000007fef2222d15 System.Web.HttpRuntime.ProcessRequestInternal(System.Web.HttpWorkerRequest)
  36. 0000000008e8dea0 000007fef2306b32 System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr, Int32)
  37. 0000000008e8dfc0 000007fef21cd220 DomainNeutralILStubClass.IL_STUB_COMtoCLR(Int64, Int32, IntPtr)
  38. 0000000008e8e288 000007fef8d49a79 [ContextTransitionFrame: 0000000008e8e288]
  39. 0000000008e8e5c0 000007fef8d49a79 [ComMethodFrame: 0000000008e8e5c0]
  40. :> !ip2md 000007fe9ace2e78
  41. MethodDesc:   000007fe9aca9310
  42. Method Name:  XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)
  43. Class:        000007fe9accf968
  44. MethodTable:  000007fe9aca9378
  45. mdToken:
  46. Module:       000007fe9ac5b1c0
  47. IsJitted:     yes
  48. CodeAddr:     000007fe9ace2cd0
  49. Transparency: Critical
  50. :> !dumpmodule  000007fe9ac5b1c0
  51. Name:       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\cwbase\11c1fc51\baae3393\assembly\dl3\76754fbe\005f3d82_ab2ad201\XXXXXXXXX.Drp.LSPub.Common.dll
  52. Attributes: PEFile
  53. Assembly:   000000000dd0f9d0
  54. LoaderHeap:
  55. TypeDefToMethodTableMap: 000007fe9ac84708
  56. TypeRefToMethodTableMap: 000007fe9ac84878
  57. MethodDefToDescMap:      000007fe9ac84b88
  58. FieldDefToDescMap:       000007fe9ac86228
  59. MemberRefToDescMap:
  60. FileReferencesMap:       000007fe9ac86e88
  61. AssemblyReferencesMap:   000007fe9ac86e90
  62. MetaData start address:  000000000440d52c ( bytes)
  63. :> !SaveModule  000007fe9ac5b1c0 d:\XXXXXXXXX.Drp.LSPub.Common.dll
  64.  sections in file
  65. section  - VA=, VASize=2cb94, FileAddr=, FileSize=2cc00
  66. section  - VA=, VASize=, FileAddr=2ce00, FileSize=
  67. section  - VA=, VASize=c, FileAddr=2d200, FileSize=

利用windbg获取dump的dll文件的更多相关文章

  1. Windows下利用Windbg 分析dump

    概述: 注册生成dump文件的函数. 当程序收到没有捕获的异常时,调用上述函数,生成dump文件. 利用Windbg结合编译程序时生成的pdb和代码来分析dump文件,定位问题. 如下代码生成dump ...

  2. 类库从自带的配置文件中获取信息(DLL文件 获取 DLL文件自带的配置信息) z

    http://blog.csdn.net/shuaishifu/article/details/19602059 类库调用自身所带的配置文件中的配置信息,而不是读取应用程序所带的配置信息.代码如下: ...

  3. 获取当前运行dll文件的路径

    char moduledir[MAX_PATH];  GetModuleFileNameA(GetModuleHandleA("ppdl_BE081_BIW_seal_library.dll ...

  4. (转)解决WinDbg调试Dump文件不同环境mscordacwks.dll版本问题

    解决WinDbg调试Dump文件不同环境mscordacwks.dll版本问题   开发人员提交一个dump文件(Windows Server 2008 R2),当前调试环境Windows Serve ...

  5. 【应用服务 App Service】快速获取DUMP文件(App Service for Windows(.NET/.NET Core))

    问题情形 当应用在Azure 应用服务App Service中运行时,有时候出现CPU,Memory很高,但是没有明显的5XX错误和异常日志,有时就是有异常但是也不能明确的指出具体的代码错误.当面临这 ...

  6. 利用VS2005进行dump文件调试

    前言:利用drwtsn32或NTSD进行程序崩溃处理,都可以生成可用于调试的dmp格式文件.使用VS2005打开生成的DMP文件,能很方便的找出BUG所在位置.本文将讨论以下内容: 1.  程序编译选 ...

  7. 利用VS2005进行dump文件调试(17篇博客)

    前言:利用drwtsn32或NTSD进行程序崩溃处理,都可以生成可用于调试的dmp格式文件.使用VS2005打开生成的DMP文件,能很方便的找出BUG所在位置.本文将讨论以下内容: 1.  程序编译选 ...

  8. 利用Costura.Fody制作绿色单文件程序(C#程序(含多个Dll)合并成一个Exe)

    原文:利用Costura.Fody制作绿色单文件程序(C#程序(含多个Dll)合并成一个Exe) 开发程序的时候经常会引用一些第三方的DLL,然后编译生成的exe文件就不能脱离这些DLL独立运行了.这 ...

  9. 编程实战——电影管理器之利用MediaInfo获取高清视频文件的相关信息

    随着高速(20M)宽带.HTPC.大容量硬盘(3T)的普及,下载高清片并利用大屏幕观看也成为普通的事情. 随着下载影片的增多,管理就有了问题,有时在茫茫文件夹下找寻一个影片也是一件费时费力的事. 于是 ...

随机推荐

  1. Uncaught TypeError: str.replace is not a function

    在做审核页面时,点击审核通过按钮不执行 后来F12控制台查看发现有报错 是因为flisnullandxyzero未执行 然后找出这个方法,此方法为公共方法,将这个方法复制出来 然后使用console. ...

  2. git对vue项目进行版本管理

    生成本地仓库 步骤一:git init 步骤二:git add * 步骤三:git commit -m 'init team' 创建远程仓库 new responstory 复制关联代码的命令 将本地 ...

  3. C++中的各种进制转换函数汇总及学习

    一.指定格式输出 1.C中指定格式输出 printf(); //按八进制格式输出,保留5位高位补零 printf(); //按十进制格式输出,保留3位高位补零 printf(); //按十六进制格式输 ...

  4. case....when ...多重判断

    CASE...WHEN 进行多重判断 CASE WHEN A  IS NOT NULL THEN B WHEN C IS NULL THEN CASE WHEN D IS NOT NULL THEN ...

  5. Django——8 关系表的数据操作 表关联对象的访问 多表查询

    Django 关系表中的数据操作 表关联对象的访问 关联对象的add方法 create方法 remove方法 clear方法 多表查询 查询补充 聚合查询 分组查询 F查询 Q查询 关系表的数据操作 ...

  6. zookeeper监控之taokeeper

    1.taokeeper简介 淘宝的开源监控zookeeper的工具,年久失修! 项目地址: https://github.com/alibaba/taokeeper 监控项: CPU/MEM/LOAD ...

  7. grafana简介

    grafana一般是和一些时间序列数据库进行配合来展示数据的,例如:Graphite.OpenTSDB.InfluxDB等 grafana是用于可视化大型测量数据的开源程序,他提供了强大和优雅的方式去 ...

  8. CODEVS2144 砝码称重2 (哈希表)

    由于m很大,所以不能使用DP. 注意到n≤30,直接暴力2^n会TLE. 所以,将砝码平均分成两份,对一份进行一次暴力,用哈希表存下可能的结果. 对下一份再进行一次暴力,在哈希表中搜索剩余的砝码重量是 ...

  9. TOYS POJ 2318 计算几何 叉乘的应用

    Time Limit: 2000MS   Memory Limit: 65536K Total Submissions: 15060   Accepted: 7270 Description Calc ...

  10. P1464 Function 洛谷

    https://www.luogu.org/problem/show?pid=1464 题目描述 对于一个递归函数w(a,b,c) 如果a<=0 or b<=0 or c<=0就返回 ...