Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using.
The WinDbg help file describes all parameters. Here we are going to show the most common usage.
Displays file headers and section headers:
!dlls –a
0:801> !dlls –a
0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe
Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
6 number of sections
48785A80 time date stamp Sat Jul 12 00:17:20 2008
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
103 characteristics
Relocations stripped
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
C400 size of code
7C00 size of initialized data
0 size of uninitialized data
11929 address of entry point
1000 base of code
1000 base of data
----- new -----
00400000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
5.00 operating system version
0.00 image version
5.00 subsystem version
27000 size of image
400 size of headers
0 checksum
00100000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
00400100 Opt Hdr
0 [ 0] address [size] of Export Directory
23000 [ 8C] address [size] of Import Directory
25000 [ 1E7C] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
0 [ 101] address [size] of Base Relocation Directory
1E940 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
23884 [ 7F8] address [size] of Import Address Table Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #2
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #3
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #4
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #5
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #6
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
Displays version numbers:
!dlls –v
0:801> !dlls -v
0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe
Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
Product Name MTGDI Application
Product Version 1, 0, 0, 1
Original Filename MTGDI.EXE
File Description MTGDI MFC Application
File Version 1, 0, 0, 1
0x00543628: C:\Windows\SysWOW64\ntdll.dll
Base 0x77630000 EntryPoint 0x00000000 Size 0x00180000
Flags 0x80004004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename ntdll.dll
File Description NT Layer DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
0x005439a8: C:\Windows\syswow64\kernel32.dll
Base 0x769d0000 EntryPoint 0x769e3e8a Size 0x00100000
Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename kernel32
File Description Windows NT BASE API Client DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
0x00543ac0: C:\Windows\syswow64\KERNELBASE.dll
Base 0x76ad0000 EntryPoint 0x76ad563f Size 0x00044000
Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename Kernelbase
File Description Windows NT BASE API Client DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
Using Module Address to display information from a specific dll:
!dlls –c <moduleAddress>
0:801> !dlls -c 63390000
Dump dll containing 0x63390000:
0x00544998: C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\MSVCR90D.dll
Base 0x63390000 EntryPoint 0x633cc6f0 Size 0x00123000
Flags 0x90084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
LDRP_REDIRECTED
Anonymous
December 05, 2012
how can we read the output of !dlls -v programatically ?Anonymous
December 12, 2012
You'll need to create a script for that. This is an example of what I mean: blogs.msdn.com/.../windbg-script-displaying-the-com-object-referenced-by-an-rcw-object.aspx Thanks, Roberto