Special Command—Displaying Information From Modules/DLLs with !dlls
!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using.
The WinDbg help file describes all parameters. Here we are going to show the most common usage.
Displays file headers and section headers:
!dlls –a
0:801> !dlls –a
0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe
Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
6 number of sections
48785A80 time date stamp Sat Jul 12 00:17:20 2008
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
103 characteristics
Relocations stripped
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
C400 size of code
7C00 size of initialized data
0 size of uninitialized data
11929 address of entry point
1000 base of code
1000 base of data
----- new -----
00400000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
5.00 operating system version
0.00 image version
5.00 subsystem version
27000 size of image
400 size of headers
0 checksum
00100000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
00400100 Opt Hdr
0 [ 0] address [size] of Export Directory
23000 [ 8C] address [size] of Import Directory
25000 [ 1E7C] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
0 [ 101] address [size] of Base Relocation Directory
1E940 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
23884 [ 7F8] address [size] of Import Address Table Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #2
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #3
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #4
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #5
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #6
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
Displays version numbers:
!dlls –v
0:801> !dlls -v
0x00543598: C:\development\My Tools\Book\mtgdi\Debug\MtGdi.exe
Base 0x00400000 EntryPoint 0x00411929 Size 0x00027000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
Product Name MTGDI Application
Product Version 1, 0, 0, 1
Original Filename MTGDI.EXE
File Description MTGDI MFC Application
File Version 1, 0, 0, 1
0x00543628: C:\Windows\SysWOW64\ntdll.dll
Base 0x77630000 EntryPoint 0x00000000 Size 0x00180000
Flags 0x80004004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename ntdll.dll
File Description NT Layer DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
0x005439a8: C:\Windows\syswow64\kernel32.dll
Base 0x769d0000 EntryPoint 0x769e3e8a Size 0x00100000
Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename kernel32
File Description Windows NT BASE API Client DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
0x00543ac0: C:\Windows\syswow64\KERNELBASE.dll
Base 0x76ad0000 EntryPoint 0x76ad563f Size 0x00044000
Flags 0x80084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7100.0
Original Filename Kernelbase
File Description Windows NT BASE API Client DLL
File Version 6.1.7100.0 (winmain_win7rc.090421-1700)
Using Module Address to display information from a specific dll:
!dlls –c <moduleAddress>
0:801> !dlls -c 63390000
Dump dll containing 0x63390000:
0x00544998: C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\MSVCR90D.dll
Base 0x63390000 EntryPoint 0x633cc6f0 Size 0x00123000
Flags 0x90084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
LDRP_REDIRECTED
Comments
Anonymous
December 05, 2012
how can we read the output of !dlls -v programatically ?Anonymous
December 12, 2012
You'll need to create a script for that. This is an example of what I mean: blogs.msdn.com/.../windbg-script-displaying-the-com-object-referenced-by-an-rcw-object.aspx Thanks, Roberto