fremag
commented
4 years ago The dlls are not in the memory dump: it contains only data, no executable code so I don't think it's possible.
Open ttodua opened 4 years ago
fremag
commented
4 years ago The dlls are not in the memory dump: it contains only data, no executable code so I don't think it's possible.
Muppetdog
commented
4 years ago If its a full memory dump, the full dlls are in the dump. I pull them out via windbg and reflect them all the time.
TheXenocide
commented
4 years ago Right, this very much depends on whether the dump is a full dump or a minidump
ttodua
commented
4 years ago yes, full dump
@Muppetdog can you point me (where can i read) how to do, step by step?
fremag
commented
4 years ago I'm sorry but I've no idea how to do that.
Memoscope is just a UI: all features come from ClrMd and I can't find anything in this to extract dlls. I know ClrMd 2.0 is coming soon, I'll check then.
Muppetdog
commented
4 years ago Easiest way to dump out dlls from a dump is with the Mex debugging extension for Windbg.
!writemodule -a -p pathtosave
It will save all the modules in the dump, managed and unmanaged
https://www.microsoft.com/en-us/download/details.aspx?id=53304
under Memory>Modules, we can view DLLs... but when right click on any item in the list, it only shows: "Copy selected rows".
so, is there any way, and if so, an example - how to get dll to write to a normal .dll file for further usage for JustDecompile ( or like that)?
or to write whole content of specific dll dump into a readable files, similarly as JustDecompile (or etc), create a project folder from .DLL