Dumping a module’s memory space (via WinDbg)

The command .WRITEMEM allows us to save memory into a disk file. The cool thing about it is that we can save modules too, because they are just raw memory.


.writemem FileName Range


0:026> lm
start end module name
00400000 00427000 mtgdi (deferred)
5a700000 5acaf000 mfc90d (deferred)
63df0000 63f13000 MSVCR90D (deferred)
71270000 71283000 dwmapi (deferred)
72cf0000 72d70000 UxTheme (deferred)
73470000 73475000 MSIMG32 (deferred)
73b90000 73b9d000 MFC90ENU (deferred)
74fd0000 75053000 COMCTL32 (deferred)
751d0000 751dc000 CRYPTBASE (deferred)
751e0000 75240000 SspiCli (deferred)
75240000 75259000 sechost (deferred)
75260000 75ea6000 SHELL32 (deferred)
75ee0000 75f8c000 msvcrt (deferred)
75fd0000 76060000 GDI32 (deferred)
76150000 76250000 kernel32 (deferred)
76250000 762ed000 USP10 (deferred)
763b0000 76410000 IMM32 (deferred)
76410000 7649f000 OLEAUT32 (deferred)
764a0000 764e4000 KERNELBASE (deferred)
765c0000 766b0000 RPCRT4 (deferred)
766b0000 76733000 CLBCatQ (deferred)
76a00000 76aa0000 ADVAPI32 (deferred)

(S) .break Works similar to break in C and C++ 0n19 0x13 0001 0011

76ce0000 76d37000 SHLWAPI (deferred)
76f40000 77040000 USER32 (deferred)
77040000 7710c000 MSCTF (deferred)
77110000 7726b000 ole32 (deferred)
77640000 7764a000 LPK (deferred)

Now let’s save MFC90ENU.DLL from the list above:
0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 (73b9d000 – 0x1)
Writing d000 bytes……………………..

Note the “- 0x1” above. If we don’t do that the command will fail because the debugger will try to write from the base address to the end address inclusive.
Another approach we can use is to get the size of the module and use it as one of the parameters:
0:026> ? 73b9d000 – 73b90000
Evaluate expression: 53248 = 0000d000

0:026> .writemem c:\downloads\MFC90ENU.dll 73b90000 L 0000d000

Writing d000 bytes……………………..

Related Articles

Back to top button