RE: Flushing DLLs from memory

From: Free, Bob (RWF4@pge.com)
Date: 10/23/01

• Previous message: Robert Gosewehr: "POP3 and IMAP authentication after Q303451"
• Maybe in reply to: H C: "Flushing DLLs from memory"
• Next in thread: Robert Collins: "Re: Flushing DLLs from memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <2DBFCBE6D1DAD11191E300805F577D1202C10E98@exchange104.comp.pge.com>
From: "Free, Bob" <RWF4@pge.com>
To: "'H C'" <keydet89@yahoo.com>, forensics@securityfocus.com, focus-ms@securityfocus.com
Subject: RE: Flushing DLLs from memory
Date: Mon, 22 Oct 2001 16:06:55 -0700

Hi Carv-

 Is this of any use?

To unload DLLs that have been left in
memory, developers must exit and then restart Windows, which can be very
inconvenient. DLL UNLOADER is a sample Windows-based application that lets
developers select a DLL, show information about it, and unload it from the
system if desired; this eliminates the need to restart Windows.

Unloader.exe
 
(http://download.microsoft.com/download/platformsdk/sample80/3.1/W31/EN-US/U
NLOADER.EXE)

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Friday, October 19, 2001 5:31 PM
To: forensics@securityfocus.com; focus-ms@securityfocus.com
Subject: Flushing DLLs from memory

I've been looking into 'live' forensics issues on
NT/2K, and one thing I'm not having any luck with is
how to flush DLLs from memory.

Looking at Rob Lee's page, he's working on
statically-linked binaries for the *nix platforms.
This is an interesting issue, but perhaps not as
simple for NT/2K. I know how to check for which DLLs
a particular program depends on, and I know that the
program and it's DLLs can be loaded onto a CD...the
program can be run from a command prompt after
supplying 'PATH="."'. However, how does one flush the
currently loaded DLLs from memory such that only the
'known good' DLLs from the CD are used?

Thanks,

Carv

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

[This inbound message was scanned for viruses
by the McAfee E500]

---

• Previous message: Robert Gosewehr: "POP3 and IMAP authentication after Q303451"
• Maybe in reply to: H C: "Flushing DLLs from memory"
• Next in thread: Robert Collins: "Re: Flushing DLLs from memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Memory limit reached with Windows Mobile ... I do understand what a test is, and I do understand how memory management ... ctacke: re-read Patrick's questions, ... 1- Load the same DLL over and over. ... Loading native DLLs takes at least 64k each. ... (microsoft.public.pocketpc.developer) Re: Explicit loading does not work ... This utility just prints virtual memory layout for the application with XIP attributes if any. ... Application DLLs can not be loaded at the address where XIP dlls reside. ... when this space is out, HeapAlloc begins allocating virtual memory from the XIP ... (microsoft.public.windowsce.embedded.vc) Re: Memory limit reached with Windows Mobile ... ctacke: re-read Patrick's questions, ... 1- Load the same DLL over and over. ... Loading native DLLs takes at least 64k each. ... good thing due to the 64k minimum virtual memory size each will take. ... (microsoft.public.pocketpc.developer) Re: Memory limit reached with Windows Mobile ... That would explain the memory problem - you just can't do that. ... You have to load stuff when it's ... All native DLLs get loaded ... (microsoft.public.pocketpc.developer) Memory limit reached with Windows Mobile ... We are currently having memory issues with our Pocket PC application. ... 2003 and the Compact Framework 1.0 SP3. ... If a process loads 4 Mb of DLLs, then 8 Mb of data, he can no ... longer load DLLs, ... (microsoft.public.pocketpc.developer)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)