Share via

Special Command—Displaying Information From Modules/DLLs with !dlls

  • Article
  • 08/19/2009

!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using.

The WinDbg help file describes all parameters. Here we are going to show the most common usage.

 

Displays file headers and section headers:

 

!dlls –a

 

0:801> !dlls –a

 

0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe

      Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000

      Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_ENTRY_PROCESSED

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

     14C machine (i386)

       6 number of sections

48785A80 time date stamp Sat Jul 12 00:17:20 2008

       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

     103 characteristics

            Relocations stripped

            Executable

            32 bit word machine

OPTIONAL HEADER VALUES

     10B magic #

    9.00 linker version

    C400 size of code

    7C00 size of initialized data

       0 size of uninitialized data

   11929 address of entry point

    1000 base of code

    1000 base of data

         ----- new -----

00400000 image base

    1000 section alignment

     200 file alignment

       2 subsystem (Windows GUI)

    5.00 operating system version

    0.00 image version

    5.00 subsystem version

   27000 size of image

     400 size of headers

       0 checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

00400100 Opt Hdr

       0 [ 0] address [size] of Export Directory

   23000 [ 8C] address [size] of Import Directory

   25000 [ 1E7C] address [size] of Resource Directory

       0 [ 0] address [size] of Exception Directory

       0 [ 0] address [size] of Security Directory

       0 [ 101] address [size] of Base Relocation Directory

   1E940 [ 1C] address [size] of Debug Directory

       0 [ 0] address [size] of Description Directory

       0 [ 0] address [size] of Special Directory

       0 [ 0] address [size] of Thread Storage Directory

       0 [ 0] address [size] of Load Configuration Directory

       0 [ 0] address [size] of Bound Import Directory

   23884 [ 7F8] address [size] of Import Address Table Directory

       0 [ 0] address [size] of Reserved Directory

       0 [ 0] address [size] of Reserved Directory

       0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1

  name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #2

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #3

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #4

         name

       0 virtual size

      0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #5

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

SECTION HEADER #6

         name

       0 virtual size

       0 virtual address

       0 size of raw data

       0 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

       0 flags

         (no align specified)

 

Displays version numbers:

 

!dlls –v

 

0:801> !dlls -v

 

0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe

      Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000

      Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_ENTRY_PROCESSED

      Product Name MTGDI Application

      Product Version 1, 0, 0, 1

      Original Filename MTGDI.EXE

      File Description MTGDI MFC Application

      File Version 1, 0, 0, 1

0x00543628: C:\Windows\SysWOW64\ntdll.dll

      Base 0x77630000 EntryPoint 0x00000000 Size 0x00180000

    Flags 0x80004004 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

      Company Name Microsoft Corporation

      Product Name Microsoft® Windows® Operating System

      Product Version 6.1.7100.0

      Original Filename ntdll.dll

      File Description NT Layer DLL

      File Version 6.1.7100.0 (winmain_win7rc.090421-1700)

0x005439a8: C:\Windows\syswow64\kernel32.dll

      Base 0x769d0000 EntryPoint 0x769e3e8a Size 0x00100000

      Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

      Company Name Microsoft Corporation

      Product Name Microsoft® Windows® Operating System

      Product Version 6.1.7100.0

      Original Filename kernel32

      File Description Windows NT BASE API Client DLL

      File Version 6.1.7100.0 (winmain_win7rc.090421-1700)

0x00543ac0: C:\Windows\syswow64\KERNELBASE.dll

      Base 0x76ad0000 EntryPoint 0x76ad563f Size 0x00044000

      Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

      Company Name Microsoft Corporation

      Product Name Microsoft® Windows® Operating System

      Product Version 6.1.7100.0

      Original Filename Kernelbase

      File Description Windows NT BASE API Client DLL

      File Version 6.1.7100.0 (winmain_win7rc.090421-1700)

 

Using Module Address to display information from a specific dll:

 

!dlls –c <moduleAddress>

 

0:801> !dlls -c 63390000

 

Dump dll containing 0x63390000:

0x00544998: C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\MSVCR90D.dll

      Base 0x63390000 EntryPoint 0x633cc6f0 Size 0x00123000

      Flags 0x90084004 LoadCount 0x0000ffff TlsIndex 0x00000000

             LDRP_IMAGE_DLL

             LDRP_ENTRY_PROCESSED

             LDRP_PROCESS_ATTACH_CALLED

             LDRP_REDIRECTED

Comments