How can I extract DLL file from memory dump?

Question

I have a memory dump (unmanaged process) . How can I extract (using windbg) one of the dlls loaded into the process ? I mean actually saving the dll file into the disk

Answer 1

Yes, it's true. calc.exe will also pull up its multi user language interface information and attach it in memory, as will a lot of Windows programs like mspaint, photoviewer, etc.

Answer 2

To extract a DLL without using SOS, use the .writemem extension as follows:

1. discover the module start and end addresses using lmvm dllname
   example output for ieframe:
   start end module name
61370000 61fb8000 ieframe

2. calculate the length = end-start: ? 61fb8000 - 61370000
   output: Evaluate expression: 12877823 = 00c48000

3. then save the DLL as follows:
   .writemem C:\tmp\mydll.dll 61370000 L?00c48000

This is unlikely to give you the exact DLL as it was loaded from disk, fixing this up is non-trivial.

(Partly based on this article)

Answer 3

You can use the sos.dll inside windbg directory.

First, load the sos.dll in windbg:

.load clr10\sos.dll

Then use !sam OR !SaveAllModule to extract the modules on specific disk location:

!sam c:\notepad