摘要:
根据堆栈对应的地址查找其对应的ModuleID,然后将对应的Module保存。!IP2MD命令从托管函数中获取MethodDesc结构地址。!dumpmodule1caa50下面的命令显示有关在地址1caa50处的模块的信息。!SaveModule将加载到内存中指定地址的图像写入指定文件。
根据堆栈对应的地址查找其对应的Module ID,然后将对应的Module保存。
!IP2MD命令从托管函数中获取MethodDesc结构地址。
!dumpmodule 1caa50下面的命令显示有关在地址1caa50处的模块的信息。
!SaveModule <基址> <文件名> 将加载到内存中指定地址的图像写入指定文件。
IP2MD帮助信息
0:000> !help IP2MD ------------------------------------------------------------------------------- !IP2MD <Code address> Given an address inmanaged JITTED code, IP2MD attempts to find the MethodDesc associated with it. For example, this output fromK: 0:000>K ChildEBP RetAddr 00a79c78 03ef02ab image00400000!Mainy.Top()+0xb00a79c78 03ef01a6 image00400000!Mainy.Level(Int32)+0xb00a79c78 5d3725a1 image00400000!Mainy.Main()+0xee0012ea04 5d512f59 clr!CallDescrWorkerInternal+0x300012ee34 5d7946aa clr!CallDescrWorker+0x109 0:000> !IP2MD 03ef01a6 MethodDesc: 00902f40 Method Name: Mainy.Main() Class: 03ee1424 MethodTable: 009032d8 mdToken: 0600000d Module: 001caa38 IsJitted: yes CodeAddr: 03ef00b8 Transparency: Critical Source file: c:Codeprj.miniexc.cs @ 39 We have taken a returnaddress into Mainy.Main, and discovered information about that method. You could run !U, !DumpMT, !DumpClass, !DumpMD, or !DumpModule on the fields listed to learn more. The "Source line" output will only be present ifthe debugger can find the symbols for the managed module containing the given <code address>, and ifthe debugger is configured to load line number information.
dumpmodule帮助信息
0:000> !help dumpmodule ------------------------------------------------------------------------------- !DumpModule [-mt] <Module address> You can get a Module address from !DumpDomain, !DumpAssembly and other functions. Here issample output: 0:000> !DumpModule 1caa50 Name: C:pubunittest.exe Attributes: PEFile Assembly: 001ca248 LoaderHeap: 001cab3c TypeDefToMethodTableMap: 03ec0010 TypeRefToMethodTableMap: 03ec0024 MethodDefToDescMap: 03ec0064 FieldDefToDescMap: 03ec00a4 MemberRefToDescMap: 03ec00e8 FileReferencesMap: 03ec0128 AssemblyReferencesMap: 03ec012c MetaData start address: 00402230 (1888bytes) The Maps listed map metadata tokens to CLR data structures. Without going into too much detail, you can examine memory at those addresses to find the appropriate structures. For example, the TypeDefToMethodTableMap above can be examined: 0:000>dd 3ec0010 03ec0010 00000000 000000000090320c 0090375c 03ec0020 009038ec ... This means TypeDef token 2maps to a MethodTable with the value 0090320c. You can run !DumpMT to verify that. The MethodDefToDescMap takes a MethodDef token and maps it to a MethodDesc, which can be passed to !DumpMD. There is a new option "-mt", which will display the types defined ina module, and the types referenced by the module. For example: 0:000> !dumpmodule -mt 1aa580 Name: C:pubunittest.exe ...<etc>... MetaData start address: 0040220c (1696bytes) Types defined in thismodule MT TypeDef Name --------------------------------------------------------------------------030d115c 0x02000002Funny 030d1228 0x02000003Mainy Types referenced in thismodule MT TypeRef Name --------------------------------------------------------------------------030b6420 0x01000001System.ValueType 030b5cb0 0x01000002System.Object 030fceb4 0x01000003System.Exception 0334e374 0x0100000cSystem.Console 03167a50 0x0100000eSystem.Runtime.InteropServices.GCHandle 0336a048 0x0100000f System.GC
SaveModule帮助信息
0:000> !help SaveModule ------------------------------------------------------------------------------- !SaveModule <Base address> <Filename> This command allows you to take a image loaded inmemory and write it to a file. This is especially useful ifyou are debugging a full memory dump, and don't have the original DLLs or EXEs. This is most often used to save a managed binary to a file, so you can disassemble the code and browse types with ILDASM. The base address of an image can be found with the "LM"debugger command: 0:000>lm start end module name 00400000 00408000image00400000 (deferred) 10200000102ac000 MSVCR80D (deferred) 5a000000 5a0b1000 mscoree (deferred) 5a140000 5a29e000 clrjit (deferred) 5b660000 5c440000 mscorlib_dll (deferred) 5d1d0000 5e13c000 clr (deferred) ... If I wanted to save a copy of clr.dll, I could run: 0:000> !SaveModule 5d1d0000 c:pubout.tmp 4 sections infile section 0 - VA=1000, VASize=e82da9, FileAddr=400, FileSize=e82e00 section 1 - VA=e84000, VASize=24d24, FileAddr=e83200, FileSize=ec00 section 2 - VA=ea9000, VASize=5a8, FileAddr=e91e00, FileSize=600section 3 - VA=eaa000, VASize=c183c, FileAddr=e92400, FileSize=c1a00 The diagnostic output indicates that the operation was successful. If c:pubout.tmp already exists, it will be overwritten.
以下为一次获取dll文件的全过程
0:000>.load E:dumpsos 0:000> !clrstack OS Thread Id: 0x10968 (0) Child SP IP Call Site 0000000008e8c9d0 000007fef46779b1 *** WARNING: Unable to verify checksum forSystem.Data.ni.dll System.Data.RBTree`1[[System.Int32, mscorlib]].IncreaseSize(Int32) 0000000008e8ca00 000007fef467744a System.Data.RBTree`1[[System.Int32, mscorlib]].RBInsert(Int32, Int32, Int32, Int32, Boolean) 0000000008e8ca80 000007fef467497c System.Data.Index.InitRecords(System.Data.IFilter) 0000000008e8cb10 000007fef46746cf System.Data.Index..ctor(System.Data.DataTable, System.Data.IndexField[], System.Comparison`1, System.Data.DataViewRowState, System.Data.IFilter) 0000000008e8cbc0 000007fef466b838 System.Data.DataTable.GetIndex(System.Data.IndexField[], System.Data.DataViewRowState, System.Data.IFilter) 0000000008e8cc50 000007fef467442f System.Data.DataView.UpdateIndex(Boolean, Boolean) 0000000008e8cd00 000007fef4674191 System.Data.DataView.SetIndex2(System.String, System.Data.DataViewRowState, System.Data.IFilter, Boolean) 0000000008e8ce10 000007fef4b173f3 System.Data.DataView..ctor(System.Data.DataTable) 0000000008e8ce50 000007fe9ace32ba *** WARNING: Unable to verify checksum forXXXXXXXXX.Drp.LSPub.Common.dll *** ERROR: Module load completed but symbols could not be loaded forXXXXXXXXX.Drp.LSPub.Common.dll XXXXXXXXX.Drp.LS.Common.DataTableCompressWithSurrogateLS.GZipCompressDataTableWithSurrogate(System.Data.DataTable, Int32) 0000000008e8cf00 000007fe9ace2e78 XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32) 0000000008e8cf90 000007fe9acda622 *** WARNING: Unable to verify checksum forXXXXXXXXX.Drp.Biz.dll *** ERROR: Module load completed but symbols could not be loaded forXXXXXXXXX.Drp.Biz.dll XXXXXXXXX.Drp.Biz.Service.BaseReferBillSrv.GetReferInfo(System.String, System.String, System.String, System.String, System.String, System.String, Boolean, Int32, Int32, Int32) 0000000008e8d2d0 000007fef8beafb3 [DebuggerU2MCatchHandlerFrame: 0000000008e8d2d0] 0000000008e8d5e8 000007fef8beafb3 [HelperMethodFrame_PROTECTOBJ: 0000000008e8d5e8] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean) 0000000008e8d760 000007fef7ac2e8c System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:dd dpclrsrcBCLSystemReflectionMethodInfo.cs @ 796] 0000000008e8d7d0 000007fef7ac05b3 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:dd dpclrsrcBCLSystemReflectionMethodInfo.cs @ 767] 0000000008e8d850 000007fe9a0f2705 *** ERROR: Module load completed but symbols could not be loaded forXXXXXXXXX.Platform.AppFramework.RestfulService.dll XXXXXXXXX.Platform.AppFramework.Service.GSPRestfulContext.Invoke(System.String, System.String, System.String, Boolean, System.String[], Int32[] ByRef, System.String[] ByRef) 0000000008e8d910 000007fe9a0f2088 *** ERROR: Module load completed but symbols could not be loaded forXXXXXXXXX.Platform.AppFramework.RESTFulWebService.dll XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.Invoke(System.IO.BinaryReader, System.Web.HttpContext) 0000000008e8da10 000007fe9a0f1599 XXXXXXXXX.Platform.AppFramework.RESTFulWebService.GSPHttpWebHandler.ProcessRequest(System.Web.HttpContext) 0000000008e8db50 000007fef1aab401 *** WARNING: Unable to verify checksum forSystem.Web.ni.dll System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 0000000008e8dc30 000007fef1a725c5 System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef) 0000000008e8dcd0 000007fef2316528 System.Web.HttpApplication+ApplicationStepManager.ResumeSteps(System.Exception) 0000000008e8dd80 000007fef21ff503 System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext, System.AsyncCallback, System.Object) 0000000008e8dde0 000007fef2222d15 System.Web.HttpRuntime.ProcessRequestInternal(System.Web.HttpWorkerRequest) 0000000008e8dea0 000007fef2306b32 System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr, Int32) 0000000008e8dfc0 000007fef21cd220 DomainNeutralILStubClass.IL_STUB_COMtoCLR(Int64, Int32, IntPtr) 0000000008e8e288 000007fef8d49a79 [ContextTransitionFrame: 0000000008e8e288] 0000000008e8e5c0 000007fef8d49a79 [ComMethodFrame: 0000000008e8e5c0] 0:000> !ip2md 000007fe9ace2e78 MethodDesc: 000007fe9aca9310 Method Name: XXXXXXXXX.Drp.LS.Common.DataSetCompressWithSurrogateLS.GZipCompressDataSetWithSurrogate(System.Data.DataSet, Int32) Class: 000007fe9accf968 MethodTable: 000007fe9aca9378 mdToken: 0000000006000293Module: 000007fe9ac5b1c0 IsJitted: yes CodeAddr: 000007fe9ace2cd0 Transparency: Critical 0:000> !dumpmodule 000007fe9ac5b1c0 Name: C:WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filescwbase11c1fc51aae3393assemblydl376754fbe