WinDbg : lm
The lm (loaded module) command and the various switches will help you with finding a list of modules currently loaded and also get specific information about such modules. the combinations of the lm command are quite large, and I would not try to give examples of all of them. The objective of these blog posts is to guide you to list of commands that can possibly help you out, and I do not intend to reproduce the WinDbg help contents in any way. So if you need to look up more about lm you can get help on how to do it right here.
Note: The below output is snipped. It is a very long list of modules and addresses, so for the sake of example I removed many of the output lines.
This output is taken from a full kernel dump, which means that both user and kernel memory is mapped. This is a basic x86 machine, where user memory is mapped from address range 0x00000000 till 0x7FFFFFFF and kernel memory is mapped from 0x80000000 and above. We will discuss these address mappings in a separate post later on, but for the sake of this example lets assume that these ranges are correct.
With is knowledge we can see that there are several user mode modules, namely, NotMyFault, Shell32, NtDll etc. and several kernel modules like nt, hal, pci etc.
We also see that some of these modules have symbols while others do not. This can happen if we are looking at a module for this the vendor hasn't released symbols, or if the symbols we have are not matching with the module currently being used.
At the end of the the output we also see that there are a few modules which are being shown as unloaded at the moment.
Execute the lm command on your debugger and check the full output.
kd> lm
start end module name
00400000 00413000 NotMyfault (no symbols)
76c00000 7784a000 SHELL32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\shell32.pdb\4555A5FB02FA4E49B65A25616CD97A6B2\shell32.pdb
77850000 778f0000 ADVAPI32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\advapi32.pdb\3F32049F550C42B09CF114A1FB8A97E92\advapi32.pdb
778f0000 779b9000 USER32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\user32.pdb\DD74D86F12624845A42A6A5BAAB4D7A82\user32.pdb
77ba0000 77cdc000 ntdll (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb
77d40000 77dbb000 COMDLG32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\comdlg32.pdb\96BC483CDFF04D1AAFE462F093B954EC2\comdlg32.pdb
82608000 82a1a000 nt (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
82a1a000 82a51000 hal (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\AE605D6C59454802AE1D485E0B089A571\halmacpi.pdb
862af000 862b7000 BOOTVID (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\bootvid.pdb\10C3ABD4165D4ED3A9493BB094B44AEA1\bootvid.pdb
863a4000 863c7000 ataport (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ataport.pdb\C9AF9FE9166548FD86EFAC017F6023011\ataport.pdb
863c7000 863fb000 fltmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\fltMgr.pdb\E6CA9E082E70438988788CB58DB340B01\fltMgr.pdb
86400000 86409000 atapi (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\atapi.pdb\EF544461A5D5482980C2CA01640A6D621\atapi.pdb
864f6000 86520000 pci (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\pci.pdb\2E2A912260694615A7E97AFBA3FA934E1\pci.pdb
8652b000 8653c000 partmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\partmgr.pdb\7CA861FF7879483ABA38CE28186F293E2\partmgr.pdb
8653c000 8654c000 volmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\volmgr.pdb\4AF04B598C494297B1C69F95823AA9F81\volmgr.pdb
8654c000 86597000 volmgrx (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\volmgrx.pdb\433F00DD3CC34DE8BC3F9E4BDDACA5EE1\volmgrx.pdb
86597000 8659e000 intelide (no symbols)
865e8000 865fe000 mountmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\mountmgr.pdb\356DDF9839E040638E034EEA956C28F81\mountmgr.pdb
86629000 86758000 Ntfs (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntfs.pdb\04B176C327B240F7A576F3417A7B95032\ntfs.pdb
86856000 8685f000 Fs_Rec (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\fs_rec.pdb\3465ED05A901452FAD07E77351F094591\fs_rec.pdb
8685f000 86916000 ndis (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\4DAAA54E2C26455DB2471D696BC8E6A62\ndis.pdb
869d8000 869fd000 CLASSPNP (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\classpnp.pdb\64A86A6AD27D4730A78ECC25166E13562\classpnp.pdb
86a0b000 86b55000 tcpip (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\tcpip.pdb\0FD6F17209C1481C9008CCDB468746392\tcpip.pdb
92deb000 92dec600 myfault (no symbols)
Unloaded modules:
92c64000 92c7c000 parport.sys
86600000 8660d000 crashdmp.sys
86a00000 86a0b000 dump_ataport.sys
8660d000 86616000 dump_atapi.sys
86616000 86627000 dump_dumpfve.sys
The lm (loaded module) command and the various switches will help you with finding a list of modules currently loaded and also get specific information about such modules. the combinations of the lm command are quite large, and I would not try to give examples of all of them. The objective of these blog posts is to guide you to list of commands that can possibly help you out, and I do not intend to reproduce the WinDbg help contents in any way. So if you need to look up more about lm you can get help on how to do it right here.
Note: The below output is snipped. It is a very long list of modules and addresses, so for the sake of example I removed many of the output lines.
This output is taken from a full kernel dump, which means that both user and kernel memory is mapped. This is a basic x86 machine, where user memory is mapped from address range 0x00000000 till 0x7FFFFFFF and kernel memory is mapped from 0x80000000 and above. We will discuss these address mappings in a separate post later on, but for the sake of this example lets assume that these ranges are correct.
With is knowledge we can see that there are several user mode modules, namely, NotMyFault, Shell32, NtDll etc. and several kernel modules like nt, hal, pci etc.
We also see that some of these modules have symbols while others do not. This can happen if we are looking at a module for this the vendor hasn't released symbols, or if the symbols we have are not matching with the module currently being used.
At the end of the the output we also see that there are a few modules which are being shown as unloaded at the moment.
Execute the lm command on your debugger and check the full output.
kd> lm
start end module name
00400000 00413000 NotMyfault (no symbols)
76c00000 7784a000 SHELL32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\shell32.pdb\4555A5FB02FA4E49B65A25616CD97A6B2\shell32.pdb
77850000 778f0000 ADVAPI32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\advapi32.pdb\3F32049F550C42B09CF114A1FB8A97E92\advapi32.pdb
778f0000 779b9000 USER32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\user32.pdb\DD74D86F12624845A42A6A5BAAB4D7A82\user32.pdb
77ba0000 77cdc000 ntdll (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb
77d40000 77dbb000 COMDLG32 (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\comdlg32.pdb\96BC483CDFF04D1AAFE462F093B954EC2\comdlg32.pdb
82608000 82a1a000 nt (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
82a1a000 82a51000 hal (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\AE605D6C59454802AE1D485E0B089A571\halmacpi.pdb
862af000 862b7000 BOOTVID (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\bootvid.pdb\10C3ABD4165D4ED3A9493BB094B44AEA1\bootvid.pdb
863a4000 863c7000 ataport (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ataport.pdb\C9AF9FE9166548FD86EFAC017F6023011\ataport.pdb
863c7000 863fb000 fltmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\fltMgr.pdb\E6CA9E082E70438988788CB58DB340B01\fltMgr.pdb
86400000 86409000 atapi (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\atapi.pdb\EF544461A5D5482980C2CA01640A6D621\atapi.pdb
864f6000 86520000 pci (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\pci.pdb\2E2A912260694615A7E97AFBA3FA934E1\pci.pdb
8652b000 8653c000 partmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\partmgr.pdb\7CA861FF7879483ABA38CE28186F293E2\partmgr.pdb
8653c000 8654c000 volmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\volmgr.pdb\4AF04B598C494297B1C69F95823AA9F81\volmgr.pdb
8654c000 86597000 volmgrx (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\volmgrx.pdb\433F00DD3CC34DE8BC3F9E4BDDACA5EE1\volmgrx.pdb
86597000 8659e000 intelide (no symbols)
865e8000 865fe000 mountmgr (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\mountmgr.pdb\356DDF9839E040638E034EEA956C28F81\mountmgr.pdb
86629000 86758000 Ntfs (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntfs.pdb\04B176C327B240F7A576F3417A7B95032\ntfs.pdb
86856000 8685f000 Fs_Rec (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\fs_rec.pdb\3465ED05A901452FAD07E77351F094591\fs_rec.pdb
8685f000 86916000 ndis (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\4DAAA54E2C26455DB2471D696BC8E6A62\ndis.pdb
869d8000 869fd000 CLASSPNP (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\classpnp.pdb\64A86A6AD27D4730A78ECC25166E13562\classpnp.pdb
86a0b000 86b55000 tcpip (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\tcpip.pdb\0FD6F17209C1481C9008CCDB468746392\tcpip.pdb
92deb000 92dec600 myfault (no symbols)
Unloaded modules:
92c64000 92c7c000 parport.sys
86600000 8660d000 crashdmp.sys
86a00000 86a0b000 dump_ataport.sys
8660d000 86616000 dump_atapi.sys
86616000 86627000 dump_dumpfve.sys
Sometimes we need to have more information about a loaded module. Like the internal name, the company who manufactured it, the time of the build etc. These can be found by using the vm switch with the lm command.
kd> lm vm nt
start end module name
82608000 82a1a000 nt (pdb symbols) C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Timestamp: Sat Nov 20 14:12:49 2010 (4CE78A09)
CheckSum: 003C88AC
ImageSize: 00412000
File version: 6.1.7601.17514
Product version: 6.1.7601.17514
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 6.1.7601.17514
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
No comments:
Post a Comment