利用windbg获取dump的dll文件

根据堆栈对应的地址查找其对应的Module ID，然后将对应的Module保存。

!IP2MD 命令从托管函数中获取 MethodDesc 结构地址。

!dumpmodule 1caa50 下面的命令显示有关在地址 1caa50 处的模块的信息。

 

!SaveModule <基址> <文件名> 将加载到内存中指定地址的图像写入指定文件。

 

IP2MD帮助信息

0:000> !help IP2MD
-------------------------------------------------------------------------------
!IP2MD <Code address>

Given an address in managed JITTED code, IP2MD attempts to find the MethodDesc
associated with it. For example, this output from K:

    0:000> K
    ChildEBP RetAddr
    00a79c78 03ef02ab image00400000!Mainy.Top()+0xb
    00a79c78 03ef01a6 image00400000!Mainy.Level(Int32)+0xb
    00a79c78 5d3725a1 image00400000!Mainy.Main()+0xee
    0012ea04 5d512f59 clr!CallDescrWorkerInternal+0x30
    0012ee34 5d7946aa clr!CallDescrWorker+0x109

    0:000> !IP2MD 03ef01a6
    MethodDesc:   00902f40
    Method Name:  Mainy.Main()
    Class:        03ee1424
    MethodTable:  009032d8
    mdToken:      0600000d
    Module:       001caa38
    IsJitted:     yes
    CodeAddr:     03ef00b8
    Transparency: Critical
    Source file:  c:Codeprj.miniexc.cs @ 39

We have taken a return address into Mainy.Main, and discovered information 
about that method. You could run !U, !DumpMT, !DumpClass, !DumpMD, or 
!DumpModule on the fields listed to learn more.

The "Source line" output will only be present if the debugger can find the 
symbols for the managed module containing the given <code address>, and if the 
debugger is configured to load line number information.

dumpmodule帮助信息

0:000> !help dumpmodule
-------------------------------------------------------------------------------
!DumpModule [-mt] <Module address>

You can get a Module address from !DumpDomain, !DumpAssembly and other 
functions. Here is sample output:

    0:000> !DumpModule 1caa50
    Name: C:pubunittest.exe
    Attributes: PEFile
    Assembly: 001ca248
    LoaderHeap: 001cab3c
    TypeDefToMethodTableMap: 03ec0010
    TypeRefToMethodTableMap: 03ec0024
    MethodDefToDescMap: 03ec0064
    FieldDefToDescMap: 03ec00a4
    MemberRefToDescMap: 03ec00e8
    FileReferencesMap: 03ec0128
    AssemblyReferencesMap: 03ec012c
    MetaData start address: 00402230 (1888 bytes)

The Maps listed map metadata tokens to CLR data structures. Without going into 
too much detail, you can examine memory at those addresses to find the 
appropriate structures. For example, the TypeDefToMethodTableMap above can be 
examined:

    0:000> dd 3ec0010
    03ec0010  00000000 00000000 0090320c 0090375c
    03ec0020  009038ec ...

This means TypeDef token 2 maps to a MethodTable with the value 0090320c. You 
can run !DumpMT to verify that. The MethodDefToDescMap takes a MethodDef token 
and maps it to a MethodDesc, which can be passed to !DumpMD.

There is a new option "-mt", which will display the types defined in a module,
and the types referenced by the module. For example:

    0:000> !dumpmodule -mt 1aa580
    Name: C:pubunittest.exe
    ...<etc>...
    MetaData start address: 0040220c (1696 bytes)

    Types defined in this module

          MT    TypeDef Name
    --------------------------------------------------------------------------
    030d115c 0x02000002 Funny
    030d1228 0x02000003 Mainy

    Types referenced in this module

          MT    TypeRef Name
    --------------------------------------------------------------------------
    030b6420 0x01000001 System.ValueType
    030b5cb0 0x01000002 System.Object
    030fceb4 0x01000003 System.Exception
    0334e374 0x0100000c System.Console
    03167a50 0x0100000e System.Runtime.InteropServices.GCHandle
    0336a048 0x0100000f System.GC

SaveModule帮助信息

0:000> !help SaveModule
-------------------------------------------------------------------------------
!SaveModule <Base address> <Filename>

This command allows you to take a image loaded in memory and write it to a 
file. This is especially useful if you are debugging a full memory dump, and 
don't have the original DLLs or EXEs. This is most often used to save a managed
binary to a file, so you can disassemble the code and browse types with ILDASM.

The base address of an image can be found with the "LM" debugger command:

    0:000> lm
    start    end        module name
    00400000 00408000   image00400000     (deferred)
    10200000 102ac000   MSVCR80D     (deferred)
    5a000000 5a0b1000   mscoree      (deferred)
    5a140000 5a29e000   clrjit     (deferred)
    5b660000 5c440000   mscorlib_dll     (deferred)
    5d1d0000 5e13c000   clr     (deferred)
    ...

If I wanted to save a copy of clr.dll, I could run:

    0:000> !SaveModule 5d1d0000 c:pubout.tmp
    4 sections in file
    section 0 - VA=1000, VASize=e82da9, FileAddr=400, FileSize=e82e00
    section 1 - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00
    section 2 - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=600
    section 3 - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00

The diagnostic output indicates that the operation was successful. If 
c:pubout.tmp already exists, it will be overwritten.

以下为一次获取dll文件的全过程

0:000> .load E:dumpsos
0:000> !clrstack
OS Thread Id: 0x10968 (0)
        Child SP               IP Call Site
0000000008e8c9d0 000007fef46779b1 *** WARNING: Unable to verify checksum for System.Data.ni.dll
System.Data.RBTree`1[[System.Int32, mscorlib]].IncreaseSize(Int32)
0000000008e8ca00 000007fef467744a System.Data.RBTree`1[[System.Int32, mscorlib]].RBInsert(Int32, Int32, Int32, Int32, Boolean)
0000000008e8ca80 000007fef467497c System.Data.Index.InitRecords(System.Data.IFilter)
0000000008e8cb10 000007fef46746cf System.Data.Index..ctor(System.Data.DataTable, System.Data.IndexField[], System.Comparison`1, System.Data.DataViewRowState, System.Data.IFilter)
0000000008e8cbc0 000007fef466b838 System.Data.DataTable.GetIndex(System.Data.IndexField[], System.Data.DataViewRowState, System.Data.IFilter)
0000000008e8cc50 000007fef467442f System.Data.DataView.UpdateIndex(Boolean, Boolean)
0000000008e8cd00 000007fef4674191 System.Data.DataView.SetIndex2(System.String, System.Data.DataViewRowState, System.Data.IFilter, Boolean)
0000000008e8ce10 000007fef4b173f3 System.Data.DataView..ctor(System.Data.DataTable)
0000000008e8ce50 000007fe9ace32ba *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.LSPub.Common.dll
*** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.LSPub.Common.dll
XXXXXXXXX.Drp.LS.Common.DataTableCompressWithSurrogateLS.GZipCompressDataTableWithSurrogate(System.Data.DataTable, Int32)
0000000008e8cf00 000007fe9ace2e78 XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)
0000000008e8cf90 000007fe9acda622 *** WARNING: Unable to verify checksum for XXXXXXXXX.Drp.Biz.dll
*** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Drp.Biz.dll
XXXXXXXXX.Drp.Biz.Service.BaseReferBillSrv.GetReferInfo(System.String, System.String, System.String, System.String, System.String, System.String, Boolean, Int32, Int32, Int32)
0000000008e8d2d0 000007fef8beafb3 [DebuggerU2MCatchHandlerFrame: 0000000008e8d2d0] 
0000000008e8d5e8 000007fef8beafb3 [HelperMethodFrame_PROTECTOBJ: 0000000008e8d5e8] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
0000000008e8d760 000007fef7ac2e8c System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:dd
dpclrsrcBCLSystemReflectionMethodInfo.cs @ 796]
0000000008e8d7d0 000007fef7ac05b3 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:dd
dpclrsrcBCLSystemReflectionMethodInfo.cs @ 767]
0000000008e8d850 000007fe9a0f2705 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RestfulService.dll
XXXXXXXXX.Platform.AppFramework.Service.GSPRestfulContext.Invoke(System.String, System.String, System.String, Boolean, System.String[], Int32[] ByRef, System.String[] ByRef)
0000000008e8d910 000007fe9a0f2088 *** ERROR: Module load completed but symbols could not be loaded for XXXXXXXXX.Platform.AppFramework.RESTFulWebService.dll
XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.Invoke(System.IO.BinaryReader, System.Web.HttpContext)
0000000008e8da10 000007fe9a0f1599 XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.ProcessRequest(System.Web.HttpContext)
0000000008e8db50 000007fef1aab401 *** WARNING: Unable to verify checksum for System.Web.ni.dll
System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
0000000008e8dc30 000007fef1a725c5 System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef)
0000000008e8dcd0 000007fef2316528 System.Web.HttpApplication+ApplicationStepManager.ResumeSteps(System.Exception)
0000000008e8dd80 000007fef21ff503 System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext, System.AsyncCallback, System.Object)
0000000008e8dde0 000007fef2222d15 System.Web.HttpRuntime.ProcessRequestInternal(System.Web.HttpWorkerRequest)
0000000008e8dea0 000007fef2306b32 System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr, Int32)
0000000008e8dfc0 000007fef21cd220 DomainNeutralILStubClass.IL_STUB_COMtoCLR(Int64, Int32, IntPtr)
0000000008e8e288 000007fef8d49a79 [ContextTransitionFrame: 0000000008e8e288] 
0000000008e8e5c0 000007fef8d49a79 [ComMethodFrame: 0000000008e8e5c0] 
0:000> !ip2md 000007fe9ace2e78
MethodDesc:   000007fe9aca9310
Method Name:  XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32)
Class:        000007fe9accf968
MethodTable:  000007fe9aca9378
mdToken:      0000000006000293
Module:       000007fe9ac5b1c0
IsJitted:     yes
CodeAddr:     000007fe9ace2cd0
Transparency: Critical
0:000> !dumpmodule  000007fe9ac5b1c0
Name:       C:WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filescwbase11c1fc51aae3393assemblydl376754fbe05f3d82_ab2ad201XXXXXXXXX.Drp.LSPub.Common.dll
Attributes: PEFile 
Assembly:   000000000dd0f9d0
LoaderHeap:              0000000000000000
TypeDefToMethodTableMap: 000007fe9ac84708
TypeRefToMethodTableMap: 000007fe9ac84878
MethodDefToDescMap:      000007fe9ac84b88
FieldDefToDescMap:       000007fe9ac86228
MemberRefToDescMap:      0000000000000000
FileReferencesMap:       000007fe9ac86e88
AssemblyReferencesMap:   000007fe9ac86e90
MetaData start address:  000000000440d52c (71044 bytes)
0:000> !SaveModule  000007fe9ac5b1c0 d:XXXXXXXXX.Drp.LSPub.Common.dll
3 sections in file
section 0 - VA=2000, VASize=2cb94, FileAddr=200, FileSize=2cc00
section 1 - VA=30000, VASize=398, FileAddr=2ce00, FileSize=400
section 2 - VA=32000, VASize=c, FileAddr=2d200, FileSize=200