根据堆栈对应的地址查找其对应的Module ID,然后将对应的Module保存。

!IP2MD 命令从托管函数中获取 MethodDesc 结构地址。

!dumpmodule 1caa50 下面的命令显示有关在地址 1caa50 处的模块的信息。
 
!SaveModule <基址> <文件名> 将加载到内存中指定地址的图像写入指定文件。
 
IP2MD帮助信息
:> !help IP2MD

-------------------------------------------------------------------------------

!IP2MD <Code address>

Given an address in managed JITTED code, IP2MD attempts to find the MethodDesc

associated with it. For example, this output from K:

    :> K

    ChildEBP RetAddr

    00a79c78 03ef02ab image00400000!Mainy.Top()+0xb

    00a79c78 03ef01a6 image00400000!Mainy.Level(Int32)+0xb

    00a79c78 5d3725a1 image00400000!Mainy.Main()+0xee

    0012ea04 5d512f59 clr!CallDescrWorkerInternal+0x30

    0012ee34 5d7946aa clr!CallDescrWorker+0x109

    :> !IP2MD 03ef01a6

    MethodDesc:   00902f40

    Method Name:  Mainy.Main()

    Class:        03ee1424

    MethodTable:  009032d8

    mdToken:      0600000d

    Module:       001caa38

    IsJitted:     yes

    CodeAddr:     03ef00b8

    Transparency: Critical

    Source file:  c:\Code\prj.mini\exc.cs @ 

We have taken a return address into Mainy.Main, and discovered information

about that method. You could run !U, !DumpMT, !DumpClass, !DumpMD, or

!DumpModule on the fields listed to learn more.

The "Source line" output will only be present if the debugger can find the

symbols for the managed module containing the given <code address>, and if the

debugger is configured to load line number information.

dumpmodule帮助信息

:> !help dumpmodule

-------------------------------------------------------------------------------

!DumpModule [-mt] <Module address>

You can get a Module address from !DumpDomain, !DumpAssembly and other

functions. Here is sample output:

    :> !DumpModule 1caa50

    Name: C:\pub\unittest.exe

    Attributes: PEFile

    Assembly: 001ca248

    LoaderHeap: 001cab3c

    TypeDefToMethodTableMap: 03ec0010

    TypeRefToMethodTableMap: 03ec0024

    MethodDefToDescMap: 03ec0064

    FieldDefToDescMap: 03ec00a4

    MemberRefToDescMap: 03ec00e8

    FileReferencesMap: 03ec0128

    AssemblyReferencesMap: 03ec012c

    MetaData start address:  ( bytes)

The Maps listed map metadata tokens to CLR data structures. Without going into

too much detail, you can examine memory at those addresses to find the

appropriate structures. For example, the TypeDefToMethodTableMap above can be

examined:

    :> dd 3ec0010

    03ec0010    0090320c 0090375c

    03ec0020  009038ec ...

This means TypeDef token  maps to a MethodTable with the value 0090320c. You

can run !DumpMT to verify that. The MethodDefToDescMap takes a MethodDef token

and maps it to a MethodDesc, which can be passed to !DumpMD.

There is a new option "-mt", which will display the types defined in a module,

and the types referenced by the module. For example:

    :> !dumpmodule -mt 1aa580

    Name: C:\pub\unittest.exe

    ...<etc>...

    MetaData start address: 0040220c ( bytes)

    Types defined in this module

          MT    TypeDef Name

    --------------------------------------------------------------------------

    030d115c 0x02000002 Funny

    030d1228 0x02000003 Mainy

    Types referenced in this module

          MT    TypeRef Name

    --------------------------------------------------------------------------

    030b6420 0x01000001 System.ValueType

    030b5cb0 0x01000002 System.Object

    030fceb4 0x01000003 System.Exception

    0334e374 0x0100000c System.Console

    03167a50 0x0100000e System.Runtime.InteropServices.GCHandle

    0336a048 0x0100000f System.GC

SaveModule帮助信息

:> !help SaveModule

-------------------------------------------------------------------------------

!SaveModule <Base address> <Filename>

This command allows you to take a image loaded in memory and write it to a

file. This is especially useful if you are debugging a full memory dump, and

don't have the original DLLs or EXEs. This is most often used to save a managed

binary to a file, so you can disassemble the code and browse types with ILDASM.

The base address of an image can be found with the "LM" debugger command:

    :> lm

    start    end        module name

        image00400000     (deferred)

     102ac000   MSVCR80D     (deferred)

    5a000000 5a0b1000   mscoree      (deferred)

    5a140000 5a29e000   clrjit     (deferred)

    5b660000 5c440000   mscorlib_dll     (deferred)

    5d1d0000 5e13c000   clr     (deferred)

    ...

If I wanted to save a copy of clr.dll, I could run:

    :> !SaveModule 5d1d0000 c:\pub\out.tmp

     sections in file

    section  - VA=, VASize=e82da9, FileAddr=, FileSize=e82e00

    section  - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00

    section  - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=

    section  - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00

The diagnostic output indicates that the operation was successful. If

c:\pub\out.tmp already exists, it will be overwritten.

以下为一次获取dll文件的全过程

:> .load E:\dump\sos

:> !clrstack

OS Thread Id: 0x10968 ()

        Child SP               IP Call Site

0000000008e8c9d0 000007fef46779b1 *** WARNING: Unable to verify checksum for System.Data.ni.dll

System.Data.RBTree`[[System.Int32, mscorlib]].IncreaseSize(Int32)

0000000008e8ca00 000007fef467744a System.Data.RBTree`[[System.Int32, mscorlib]].RBInsert(Int32, Int32, Int32, Int32, Boolean)

0000000008e8ca80 000007fef467497c System.Data.Index.InitRecords(System.Data.IFilter)

0000000008e8cb10 000007fef46746cf System.Data.Index..ctor(System.Data.DataTable, System.Data.IndexField[], System.Comparison`, System.Data.DataViewRowState, System.Data.IFilter)

0000000008e8cbc0 000007fef466b838 System.Data.DataTable.GetIndex(System.Data.IndexField[], System.Data.DataViewRowState, System.Data.IFilter)

0000000008e8cc50 000007fef467442f System.Data.DataView.UpdateIndex(Boolean, Boolean)

0000000008e8cd00 000007fef4674191 System.Data.DataView.SetIndex2(System.String, System.Data.DataViewRowState, System.Data.IFilter, Boolean)

0000000008e8ce10 000007fef4b173f3 System.Data.DataView..ctor(System.Data.DataTable)

0000000008e8ce50 000007fe9ace32ba *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.LSPub.Common.dll

*** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.LSPub.Common.dll

XXXXXXXXX.Drp.LS.Common.DataTableCompressWithSurrogateLS.GZipCompressDataTableWithSurrogate(System.Data.DataTable, Int32)

0000000008e8cf00 000007fe9ace2e78 XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)

0000000008e8cf90 000007fe9acda622 *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.Biz.dll

*** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.Biz.dll

XXXXXXXXX.Drp.Biz.Service.BaseReferBillSrv.GetReferInfo(System.String, System.String, System.String, System.String, System.String, System.String, Boolean, Int32, Int32, Int32)

0000000008e8d2d0 000007fef8beafb3 [DebuggerU2MCatchHandlerFrame: 0000000008e8d2d0]

0000000008e8d5e8 000007fef8beafb3 [HelperMethodFrame_PROTECTOBJ: 0000000008e8d5e8] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)

0000000008e8d760 000007fef7ac2e8c System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:\dd\ndp\clr\src\BCL\System\Reflection\MethodInfo.cs @ ]

0000000008e8d7d0 000007fef7ac05b3 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:\dd\ndp\clr\src\BCL\System\Reflection\MethodInfo.cs @ ]

0000000008e8d850 000007fe9a0f2705 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RestfulService.dll

XXXXXXXXX.Platform.AppFramework.Service.GSPRestfulContext.Invoke(System.String, System.String, System.String, Boolean, System.String[], Int32[] ByRef, System.String[] ByRef)

0000000008e8d910 000007fe9a0f2088 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RESTFulWebService.dll

XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.Invoke(System.IO.BinaryReader, System.Web.HttpContext)

0000000008e8da10 000007fe9a0f1599 XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.ProcessRequest(System.Web.HttpContext)

0000000008e8db50 000007fef1aab401 *** WARNING: Unable to verify checksum for System.Web.ni.dll

System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

0000000008e8dc30 000007fef1a725c5 System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef)

0000000008e8dcd0 000007fef2316528 System.Web.HttpApplication+ApplicationStepManager.ResumeSteps(System.Exception)

0000000008e8dd80 000007fef21ff503 System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext, System.AsyncCallback, System.Object)

0000000008e8dde0 000007fef2222d15 System.Web.HttpRuntime.ProcessRequestInternal(System.Web.HttpWorkerRequest)

0000000008e8dea0 000007fef2306b32 System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr, Int32)

0000000008e8dfc0 000007fef21cd220 DomainNeutralILStubClass.IL_STUB_COMtoCLR(Int64, Int32, IntPtr)

0000000008e8e288 000007fef8d49a79 [ContextTransitionFrame: 0000000008e8e288]

0000000008e8e5c0 000007fef8d49a79 [ComMethodFrame: 0000000008e8e5c0]

:> !ip2md 000007fe9ace2e78

MethodDesc:   000007fe9aca9310

Method Name:  XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)

Class:        000007fe9accf968

MethodTable:  000007fe9aca9378

mdToken:

Module:       000007fe9ac5b1c0

IsJitted:     yes

CodeAddr:     000007fe9ace2cd0

Transparency: Critical

:> !dumpmodule  000007fe9ac5b1c0

Name:       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\cwbase\11c1fc51\baae3393\assembly\dl3\76754fbe\005f3d82_ab2ad201\XXXXXXXXX.Drp.LSPub.Common.dll

Attributes: PEFile

Assembly:   000000000dd0f9d0

LoaderHeap:

TypeDefToMethodTableMap: 000007fe9ac84708

TypeRefToMethodTableMap: 000007fe9ac84878

MethodDefToDescMap:      000007fe9ac84b88

FieldDefToDescMap:       000007fe9ac86228

MemberRefToDescMap:

FileReferencesMap:       000007fe9ac86e88

AssemblyReferencesMap:   000007fe9ac86e90

MetaData start address:  000000000440d52c ( bytes)

:> !SaveModule  000007fe9ac5b1c0 d:\XXXXXXXXX.Drp.LSPub.Common.dll

 sections in file

section  - VA=, VASize=2cb94, FileAddr=, FileSize=2cc00

section  - VA=, VASize=, FileAddr=2ce00, FileSize=

section  - VA=, VASize=c, FileAddr=2d200, FileSize=

利用windbg获取dump的dll文件的更多相关文章

  1. Windows下利用Windbg 分析dump

    概述: 注册生成dump文件的函数. 当程序收到没有捕获的异常时,调用上述函数,生成dump文件. 利用Windbg结合编译程序时生成的pdb和代码来分析dump文件,定位问题. 如下代码生成dump ...

  2. 类库从自带的配置文件中获取信息(DLL文件 获取 DLL文件自带的配置信息) z

    http://blog.csdn.net/shuaishifu/article/details/19602059 类库调用自身所带的配置文件中的配置信息,而不是读取应用程序所带的配置信息.代码如下: ...

  3. 获取当前运行dll文件的路径

    char moduledir[MAX_PATH];  GetModuleFileNameA(GetModuleHandleA("ppdl_BE081_BIW_seal_library.dll ...

  4. (转)解决WinDbg调试Dump文件不同环境mscordacwks.dll版本问题

    解决WinDbg调试Dump文件不同环境mscordacwks.dll版本问题   开发人员提交一个dump文件(Windows Server 2008 R2),当前调试环境Windows Serve ...

  5. 【应用服务 App Service】快速获取DUMP文件(App Service for Windows(.NET/.NET Core))

    问题情形 当应用在Azure 应用服务App Service中运行时,有时候出现CPU,Memory很高,但是没有明显的5XX错误和异常日志,有时就是有异常但是也不能明确的指出具体的代码错误.当面临这 ...

  6. 利用VS2005进行dump文件调试

    前言:利用drwtsn32或NTSD进行程序崩溃处理,都可以生成可用于调试的dmp格式文件.使用VS2005打开生成的DMP文件,能很方便的找出BUG所在位置.本文将讨论以下内容: 1.  程序编译选 ...

  7. 利用VS2005进行dump文件调试(17篇博客)

    前言:利用drwtsn32或NTSD进行程序崩溃处理,都可以生成可用于调试的dmp格式文件.使用VS2005打开生成的DMP文件,能很方便的找出BUG所在位置.本文将讨论以下内容: 1.  程序编译选 ...

  8. 利用Costura.Fody制作绿色单文件程序(C#程序(含多个Dll)合并成一个Exe)

    原文:利用Costura.Fody制作绿色单文件程序(C#程序(含多个Dll)合并成一个Exe) 开发程序的时候经常会引用一些第三方的DLL,然后编译生成的exe文件就不能脱离这些DLL独立运行了.这 ...

  9. 编程实战——电影管理器之利用MediaInfo获取高清视频文件的相关信息

    随着高速(20M)宽带.HTPC.大容量硬盘(3T)的普及,下载高清片并利用大屏幕观看也成为普通的事情. 随着下载影片的增多,管理就有了问题,有时在茫茫文件夹下找寻一个影片也是一件费时费力的事. 于是 ...

随机推荐

  1. Learning opencv续不足(七)线图像的设计D

    因为线图像startline有了起点和终点,我们就可以用DDA法求出线上所有点,任意斜率直线通过四象限八区域查表法界定.我们只示范一个区域:函数为: public PointF DdaFindPtIm ...

  2. SpringBoot启动报jdbc连接池错误

    如图,启动报连接池错误 项目中没有使用任何连接池,以为没用连接池的原因,所以配置了druid,一开始可以正常启动,但后来重启项目时仍旧报同样的错.网上找了资料,url中加useSSL=false,显式 ...

  3. uva 10048 Audiophobia UVA - 10048

    题目简介 一个无向正权图,求任意两个节点之间的路径里最短的路径长度. 直接Floyd解决,就是注意要把Floyd的DP式子改一下成 G[i][j]=min(G[i][j],max(G[i][k],G[ ...

  4. CSS练习:仿小米官网

    代码: <!DOCTYPE html> <html lang="zh-cn"> <head> <meta charset="UT ...

  5. 00.不规则json序列化使用eval、demjson

    有下面一段字符串 import json str0 = '[{"name":"白云大道营业厅","siteaddr":"x...& ...

  6. bupt summer training for 16 #6 ——图论

    https://vjudge.net/contest/174020 A.100条双向边,每个点最少连2个边 所以最多100个点,点的标号需要离散化 然后要求恰好经过n条路径 快速幂,乘法过程就是flo ...

  7. 从零搭建流媒体服务器+obs推流直播

    背景介绍 本文使用的流媒体服务器的搭建是基于rtmp(Real Time Message Protocol)协议的,rtmp协议是应用层的协议,要依靠底层的传输层协议,比如tcp协议来保证信息传输的可 ...

  8. [luogu2209][USACO13]燃油经济性Fuel Economy_贪心

    燃油经济性Fuel Economy 题目大意:FJ想要去旅行.他的车总容量为G,每行驶一个单位就消耗一个单位的油.FJ要行驶D个单位的距离.期间存在n个加油站,每个加油站有一个价格,表示在这个燃油站买 ...

  9. device busy

    在mount的时候经常会有device busy,这通常是因为该目录被某个用户或者进程使用.这时候可以用如下命令: fuser mount point 来看一下该mount point被哪个进程占用. ...

  10. IntelliJ IDEA 给表达式赋变量名称

    IntelliJ IDEA 给表达式赋变量名称 学习了:http://blog.csdn.net/tiny__wang/article/details/52988790 类似于Eclipse中的ctr ...