Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May


Loaded Modules

If the reader directs attention to the Command window it is noticed that a series of modules are loaded and the WinMine process has been issued a break.

ModLoad: 01000000 01020000   C:\WINDOWS\System32\winmine.exe
ModLoad: 77f50000 77ff7000   C:\WINDOWS\System32\ntdll.dll
ModLoad: 77e60000 77f46000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77c10000 77c63000   C:\WINDOWS\system32\msvcrt.dll
...
ModLoad: 77c00000 77c07000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.DLL
ModLoad: 771b0000 772d4000   C:\WINDOWS\system32\OLE32.DLL
(9b0.a2c): Break instruction exception - code 80000003 (first chance)
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004
eip=77f75a58 esp=00cfffcc ebp=00cffff4 iopl=0   nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000   efl=00000246
ntdll!DbgBreakPoint:
77f75a58 cc               int     3
The two 32-bit addresses following "ModLoad:" represent the virtual memory address range the corresponding module is mapped to. These loaded modules contain functionality that WinMine is dependant upon. To get a list of loaded modules, the reader may issue either of the following commands: lm, !lm, !dlls

The reader should also notice that WinDBG, by default, articulates register values within the Command window upon reaching a breakpoint or at the completion of each step.