Jaa


Analyzing 32bit dumps taken on a 64bit machine using 64bit debugger

 

Hi,

          I came across this interesting situation while trying to analyze some dumps of a x86 bit application on a x64 machine where the dumps were taken using x64 version of the debugger.

Before going ahead, let me tell you that if this situation arises then the best bet would be take the dumps using x86 version of the debugger. However if you do come across these kind of dumps which are taken using x64 version of the debuggers  then below is what you need to do.

 

Assuming that you have installed Debugging tool for windows under <Installed Driver>\Debuggers

 

When you do a kb in the dump you will see something like below with not much stack inforamtion.

 

0:000> kb

RetAddr           : Args to Child                                                           : Call Site

00000000`78b840e5 : 00000023`7d61c888 00000000`00000023 00000000`00000202 00000000`0014e0e0 : wow64cpu!CpupSyscallStub+0x9 [d:\srvrtm\base\wow64\cpu\amd64\cpu\amd64\simulate.asm @ 983]

00000000`6b006a5a : 00000000`fffdf000 00000000`00080001 00000000`00000000 00000000`00000000 : wow64cpu!Thunk0ArgReloadState+0x1a [d:\srvrtm\base\wow64\cpu\amd64\cpu\amd64\simulate.asm @ 845]

00000000`6b005e0d : 00000000`00000000 00000000`0006f1b0 00000000`0006fab0 00000000`00000000 : wow64!RunCpuSimulation+0xa [d:\nt\base\wow64\wow64\wow64.c @ 1358]

00000000`77ed8030 : 00000000`000832f0 00000000`00000000 00000000`0006fab0 00000000`00000003 : wow64!Wow64LdrpInitialize+0x2ed [d:\nt\base\wow64\wow64\wow64.c @ 288]

00000000`77ed582f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitializeProcess+0x1538 [d:\nt\base\ntdll\ldrinit.c @ 3043]

00000000`77ef30a5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!_LdrpInitialize+0x18f [d:\nt\base\ntdll\ldrinit.c @ 1138]

00000000`77d59620 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!KiUserApcDispatch+0x15 [d:\nt\base\ntos\rtl\amd64\trampoln.asm @ 194]

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77d59620

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000020`78746341 : 0x0

00000000`00000000 : 00000000`00000000 00000000`00000000 00000020`78746341 00005370`00000001 : 0x0

00000000`00000000 : 00000000`00000000 00000020`78746341 00005370`00000001 00000000`00000124 : 0x0

00000000`00000000 : 00000020`78746341 00005370`00000001 00000000`00000124 00000000`00000020 : 0x0

00000020`78746341 : 00005370`00000001 00000000`00000124 00000000`00000020 00000001`00000014 : 0x0

00005370`00000001 : 00000000`00000124 00000000`00000020 00000001`00000014 00000034`0000000a : 0x20`78746341

 

 

After opening the dump, load wow64exts which is located at Debuggers\winxp. e.g.

 

0:000> .load wow64exts

0:000> !wow64exts.k

Walking 64bit Stack...

Child-SP          RetAddr           Call Site

00000000`0006edf8 00000000`78b840e5 wow64cpu!CpupSyscallStub+0x9 [d:\srvrtm\base\wow64\cpu\amd64\cpu\amd64\simulate.asm @ 983]

00000000`0006ee00 00000000`6b006a5a wow64cpu!Thunk0ArgReloadState+0x1a [d:\srvrtm\base\wow64\cpu\amd64\cpu\amd64\simulate.asm @ 845]

00000000`0006ee70 00000000`6b005e0d wow64!RunCpuSimulation+0xa [d:\nt\base\wow64\wow64\wow64.c @ 1358]

00000000`0006eea0 00000000`77ed8030 wow64!Wow64LdrpInitialize+0x2ed [d:\nt\base\wow64\wow64\wow64.c @ 288]

00000000`0006f6d0 00000000`77ed582f ntdll!LdrpInitializeProcess+0x1538 [d:\nt\base\ntdll\ldrinit.c @ 3043]

00000000`0006f9d0 00000000`77ef30a5 ntdll!_LdrpInitialize+0x18f [d:\nt\base\ntdll\ldrinit.c @ 1138]

00000000`0006fab0 00000000`77d59620 ntdll!KiUserApcDispatch+0x15 [d:\nt\base\ntos\rtl\amd64\trampoln.asm @ 194]

00000000`0006ffa8 00000000`00000000 0x77d59620

00000000`0006ffb0 00000000`00000000 0x0

00000000`0006ffb8 00000000`00000000 0x0

00000000`0006ffc0 00000000`00000000 0x0

00000000`0006ffc8 00000000`00000000 0x0

00000000`0006ffd0 00000000`00000000 0x0

00000000`0006ffd8 00000000`00000000 0x0

00000000`0006ffe0 00000000`00000000 0x0

00000000`0006ffe8 00000000`00000000 0x0

00000000`0006fff0 00000000`00000000 0x0

00000000`0006fff8 00000000`00000000 0x0

00000000`00070000 00000020`78746341 0x0

00000000`00070008 00005370`00000001 0x20`78746341

Walking 32bit Stack...

*** WARNING: symbols timestamp is wrong 0x45d6cc72 0x45d709ff for ntdll.dll

ChildEBP          RetAddr          

0014fc0c 7d4d8c82 ntdll_7d600000!NtWaitForSingleObject+0x15 [d:\nt\base\ntdll\wow6432\obj\i386\usrstubs.asm @ 133]

0014fc7c 7d4d8bf1 kernel32!WaitForSingleObjectEx+0xac [d:\nt\base\win32\client\synch.c @ 1246]

0014fc90 5a36467a kernel32!WaitForSingleObject+0x12 [d:\nt\base\win32\client\synch.c @ 1147]

0014fca0 5a366e63 w3dt!WP_CONTEXT::RunMainThreadLoop+0x10 [d:\srvrtm\inetsrv\iis\iisrearc\iisplus\ulatq\wpcontext.cxx @ 885]

0014fca8 5a3af42d w3dt!UlAtqStartListen+0x2d [d:\srvrtm\inetsrv\iis\iisrearc\iisplus\ulatq\ulatq.cxx @ 241]

0014fcb8 5a3bc335 w3core!W3_SERVER::StartListen+0xbd [d:\nt\inetsrv\iis\iisrearc\iisplus\ulw3\w3server.cxx @ 1388]

0014ff0c 0100187c w3core!UlW3Start+0x26e [d:\nt\inetsrv\iis\iisrearc\iisplus\ulw3\ulw3.cxx @ 242]

0014ff44 01001a27 w3wp!wmain+0x22a [d:\nt\inetsrv\iis\iisrearc\iisplus\w3wp\w3wp.cxx @ 269]

0014ffc0 7d4e7d2a w3wp!wmainCRTStartup+0x12f [d:\nt\base\crts\crtw32\dllstuff\crtexe.c @ 498]

0014fff0 00000000 kernel32!BaseProcessStart+0x28 [d:\nt\base\win32\client\support.c @ 838]

 

Now call the sw command which is a part of wow64exts extension.

 

Sw --       Switch between 32-bit and 64-bit mode .

 

!wow64exts.sw

 

Now below is what you see which makes sense and will let you debug further.

 

0:000:x86> kb

ChildEBP          RetAddr           Args to Child                                        

0014fc0c 7d4d8c82 000001d0 00000000 00000000 ntdll_7d600000!NtWaitForSingleObject+0x15 [d:\nt\base\ntdll\wow6432\obj\i386\usrstubs.asm @ 133]

0014fc7c 7d4d8bf1 000001d0 ffffffff 00000000 kernel32!WaitForSingleObjectEx+0xac [d:\nt\base\win32\client\synch.c @ 1246]

0014fc90 5a36467a 000001d0 ffffffff 00000000 kernel32!WaitForSingleObject+0x12 [d:\nt\base\win32\client\synch.c @ 1147]

0014fca0 5a366e63 003d50c0 5a3af42d 00000000 w3dt!WP_CONTEXT::RunMainThreadLoop+0x10 [d:\srvrtm\inetsrv\iis\iisrearc\iisplus\ulatq\wpcontext.cxx @ 885]

0014fca8 5a3af42d 00000000 64711dcf 00000000 w3dt!UlAtqStartListen+0x2d [d:\srvrtm\inetsrv\iis\iisrearc\iisplus\ulatq\ulatq.cxx @ 241]

0014fcb8 5a3bc335 01001418 010013e4 010012d0 w3core!W3_SERVER::StartListen+0xbd [d:\nt\inetsrv\iis\iisrearc\iisplus\ulw3\w3server.cxx @ 1388]

0014ff0c 0100187c 00000005 003d3920 00000000 w3core!UlW3Start+0x26e [d:\nt\inetsrv\iis\iisrearc\iisplus\ulw3\ulw3.cxx @ 242]

0014ff44 01001a27 00000005 003d3920 003d4590 w3wp!wmain+0x22a [d:\nt\inetsrv\iis\iisrearc\iisplus\w3wp\w3wp.cxx @ 269]

0014ffc0 7d4e7d2a 00000000 00000000 fffdf000 w3wp!wmainCRTStartup+0x12f [d:\nt\base\crts\crtw32\dllstuff\crtexe.c @ 498]

0014fff0 00000000 010018f8 00000000 000000c8 kernel32!BaseProcessStart+0x28 [d:\nt\base\win32\client\support.c @ 838]

 

If it happens to be duplicate of any existing posts, treat it as purely coincidental.