Extract Module Info From a DMP File with PowerShell

Posted on August 20, 2015 by chentiangemalc

Modify $cdb to point to CDB.exe from Windows SDK Debugging Tools.

At end of script contains usage example…

Script can be downloaded here http://1drv.ms/1MEeIqD

Set-StrictMode -Version 2.0

# path to CDB from Windows SDK Debugging Tools
$cdb = "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe"

function Get-ModulesFromDmp
{
    Param(
    [string]$FilePath
    )

    if (-not ([System.Management.Automation.PsTypeName]'moduleinfo').Type) 
    {
        Add-Type @"
public struct moduleinfo {
    public string imagepath;
    public string imagename;
    public string timestamp;
    public string checksum;
    public string imagesize;
    public System.Version fileversion;
    public System.Version productversion;
    public string fileflags;
    public string fileos;
    public string filetype;
    public string filedate;
    public string translations;
    public string companyname;
    public string productname;
    public string internalname;
    public string originalfilename;
    public string productversiontext;
    public string fileversiontext;
    public string privatebuild;
    public string filedescription;
    public string legalcopyright; 
    public string notes;
}
"@ 
   }

    $moduledata = &$cdb -z "$FilePath" -c "lmv;q"
    $modules = @()
    $started = $false
    $unloadedmodules = $false
    $info = $null

    $moduledata.Split("`r`n") | ForEach-Object {
        if ($_.StartsWith("Unloaded modules"))
        {
            $unloadedmodules = $true
        }

        if ($started)
        {
            if (-Not $_.StartsWith(" "))
            {
                if ($info -eq $null)
                {
                    $info = New-Object moduleinfo
                }
                else
                {
                    $modules+=$info
                    $info = New-Object moduleinfo 
                }
            }

            if ($_.Contains(":"))
            {
                $name=$_.Split(":")[0].Trim()
                $value=$_.Substring($_.IndexOf(":")+1).Trim()
                switch ($name)
                {
                    "Image path"       { $info.ImagePath = $value }
                    "Image name"       { $info.imagename = $value }
                    "Timestamp"        { $info.timestamp = $value }
                    "Checksum"         { $info.checksum = $value }
                    "ImageSize"        { $info.imagesize = $value }
                    "File version"     { $info.fileversion = New-Object System.Version($value) } 
                    "Product version"  { $info.productversion = New-Object System.Version($value) }
                    "File flags"       { $info.fileflags = $value }
                    "File OS"          { $info.fileos = $value }
                    "File type"        { $info.filetype = $value }
                    "File date"        { $info.filedate = $value } 
                    "Translations"     { $info.translations = $value }
                    "CompanyName"      { $info.companyname = $value }
                    "ProductName"      { $info.productname = $value }
                    "InternalName"     { $info.internalname = $value }
                    "OriginalFilename" { $info.originalfilename = $value }
                    "ProductVersion"   { $info.productversiontext = $value }
                    "FileVersion"      { $info.fileversiontext = $value }
                    "FileDescription"  { $info.filedescription = $value }
                    "LegalCopyright"   { $info.legalcopyright = $value }
                    "PrivateBuild"     { $info.privatebuild = $value }

                }
            }
            else
            {
                if ($unloadedmodules)
                {
                    $info.imagename = $_.Substring(21)
                    $info.filedescription="unloaded module"
                }
                else
                {
                    if ($_.StartsWith(" ")) { $info.notes += $_.Trim() }
                }
            }
        }
        else
        {
            if ($_.StartsWith("start"))
            {
                $started=$true
            }
        }
    }

    return $modules

}

# usage example

$result = Get-ModulesFromDmp "C:\dumps\DocumentAutomation.Indexing.exe_150819_123051.dmp"

# make a csv 
#$result | Export-Csv C:\support\out4.csv -NoTypeInformation
# get a grid view
$result | Out-GridView

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in PowerShell, WinDbg and tagged . Bookmark the permalink.

Leave a comment