這篇文章裡面會介紹, 當你使用windbg來除錯一個dump檔
而它又是32bits的應用程式跑在x64機器上的dump檔, 如何從 32bit mode切換到 x64 machine.
假如你是32bit或64bit版本的windbg, 去開啟 32bit Application跑在x64作業系統上的Dump檔, 預設就是指你用64bit的模式去看32bit的application, 如下例, 會出現很多 wow64xxxx的字串
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
0:001> <strong>k </strong> Child-SP RetAddr Call Site 00000000`027eebc8 00000000`7529ab46 wow64cpu!WaitForMultipleObjects32+0x3a 00000000`027eec70 00000000`7529a14c wow64!RunCpuSimulation+0xa 00000000`027eeca0 00000000`777305a8 wow64!Wow64LdrpInitialize+0x4b4 00000000`027ef200 00000000`776e68de ntdll!_LdrpInitialize+0x49db8 00000000`027ef2b0 00000000`00000000 ntdll!LdrInitializeThunk+0xe 0:001><strong> r </strong> rax=000000000af7e3b8 rbx=00000000778ecb94 rcx=00000000004b6a18 rdx=0000000000000018 rsi=00000000004b6a18 rdi=0000000000000000 rip=000000007577374f rsp=00000000027eebc8 rbp=0000000002a9fee0 r8=000000000000002b r9=00000000778c99fd r10=0000000000000000 r11=0000000000000212 r12=000000007efd8000 r13=00000000027efd20 r14=00000000027eec00 r15=0000000075773380 iopl=0 nv up ei pl nz ac pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 wow64cpu!WaitForMultipleObjects32+0x3a: 00000000`7577374f 418bbda0000000 mov edi,dword ptr [r13+0A0h] ds:00000000`027efdc0=00000000 |
這些wow64xxxx的字串在這些call stack根本無法給我們想要的訊息!
The wow64 stuff in the call stack and the x64 registers do not tell us much.
切換成用32bit的視角來看吧! 透過 .effmach x86 或 !wow64exts.sw 就可以囉!
To get the meaningful 32bit look of the application, you need to switch the processor mode that the debugger uses to 32bit by entering either .effmach x86 or !wow64exts.sw in windbg. The two commands are basically same. You should see output like the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
0:001><strong> !wow64exts.sw </strong> Switched to 32bit mode 0:001:x86><strong> k</strong> ChildEBP RetAddr 02a9fd4c 7794787d ntdll_77880000!NtWaitForMultipleObjects+0x15 02a9fee0 7730eccb ntdll_77880000!TppWaiterpThread+0x328 02a9feec 778fd24d kernel32!BaseThreadInitThunk+0xe 02a9ff2c 778fd45f ntdll_77880000!__RtlUserThreadStart+0x23 02a9ff44 00000000 ntdll_77880000!_RtlUserThreadStart+0x1b 0:001:x86> <strong>r </strong> eax=00000000 ebx=778ecb94 ecx=00000000 edx=00000000 esi=004b6a18 edi=00000000 eip=778c99fd esp=02a9fd50 ebp=02a9fee0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll_77880000!NtWaitForMultipleObjects+0x15: 778c99fd c21400 ret 14h |
果然看起來很不一樣吧!
The call stack looks very different now. Particularly you do not see any wow64 and wow64cpu modules in the stack.
以上的方法也適用於x64 kernel dump 在32bits處理器
Note: The above solution works for the kernel mode dump of an x64 system too when you try to see the thread call stacks of a running 32bit process.