stackoom
  简体   繁体   中英

How do I find image base address of a process from a crash dump in Windbg

 原文  2022-02-10 16:22:42       windows/ windbg/ crash-dumps

Question

I have a memory crash dump, and I can list processes with !process 0 0

What I want to do is find the Image Base Address of calc.exe and get its contents from the memory. Potentially saving it into a file.

what do I need to do to achieve that?

Edit: the type of dump I have is "automatic dump" but I would like to know the technique for other types such as full core dump

2 answers

solution1
 0  2022-02-10 19:19:12

a dump can be of several types what is the type of dump is it user mode or kernel mode? it is mindump of full dump?

in many cases the pages may not be present either being paged out or intentionally discarded init section of modules

anyway if user mode try.vadump or !address to locate the module of interest find its start address and end address and try dumping in page size increments (0x1000 bytes )using .writemem

in kmode use !vad

and follow both commands by lm or !dh to get the module information in both user mode and kernelmode

here is an user mode dump !address info

F:\caldump>cdb -c "!address calculator;q" -z calc.dmp | awk "/Reading/,/quit/"

0:023> cdb: Reading initial command '!address calculator;q'


Usage:                  Image
Base Address:           00007ff7`04a30000
End Address:            00007ff7`04a31000
Region Size:            00000000`00001000 (   4.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000002          PAGE_READONLY
Type:                   01000000          MEM_IMAGE
Allocation Base:        00007ff7`04a30000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY
Image Path:             C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
Module Name:            Calculator
Loaded Image Name:
Mapped Image Name:
More info:              lmv m Calculator
More info:              !lmi Calculator
More info:              ln 0x7ff704a30000
More info:              !dh 0x7ff704a30000

solution2
 0  2022-02-26 18:57:54

Since.process 0 0 works then it's a kernel dump. Try inspecting the peb

https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-peb

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Find Crash in Windbg Log? How do I get the base address of another process? (ASLR) Performance Counters in Windbg Crash Dump WinDbg showing different call stacks when attached to process when compared to crash dump How do I find a memory mapped file's name in WinDbg? How do I analyze a crash dump from a binary built with optimizations enabled (release mode)? Process survives crash dump How do I get handles information from a full-dump of a windows process? how to find a function in windbg How can I learn WinDbg? (re: seemingly simple hung process)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM