lm command does not show correct module

Question

I use WinDbg to analyze Adobe Acrobat Reader, AcroRd32.exe. I want to see what modules (the .dll modules that in the same directory with AcroRd32.exe) that AcroRd.exe loaded.

I use WinDbg monitoring to open a PDF file, then use lm command to show loaded modules. However, there is no module (.DLL) that has same directory as AcroRd32.exe.

Does that mean AcroRd32.exe didn't use these DLLs? To verify my assumption， I deleted all DLL files that are in the same directory as AcroRd32.exe. Then AcroRd32.exe cannot start normally. It means that these DLLs are necessary for AcroRd32.exe. But Why WinDbg's lm command didn't show these DLL modules?

Answer 1

Acrobat Reader starts another instance of itself. You need to debug the second instance to see the modules being loaded:

ntdll!LdrpDoDebuggerBreak+0x2b:
77e9db9b cc              int     3
0:000> .childdbg 1
Processes created by the current process will be debugged    
0:000> sxe cpr
0:000> g
[...]
Executable search path is: 
ModLoad: 00c20000 00e45000   AcroRd32.exe

At this point, the second instance is going to be started.

1:010> g
ntdll!LdrpDoDebuggerBreak+0x2b:
77e9db9b cc              int     3
1:010> g

If you break when Acrobat Reader has loaded, you'll see:

1:010> |0s
0:000> lmf
[...]
No Adobe Acrobat Reader DLLs
[...]
0:000> |1s
1:010> lmf
[...]
56910000 56961000   sqlite   C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll
56970000 569a4000   AXE8SharedExpat C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll
569b0000 56a9c000   ACE      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll
56aa0000 56d78000   CoolType C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll
56d80000 56d9e000   BIB      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll
56da0000 572c2000   AGM      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll
[...]

The first instance does not have DLLs loaded from Adobe Acrobat's directory but the second one has.