Udostępnij za pośrednictwem


SOS/PSSCOR & .effmach

Recently in one of our internal forums there was this thread around debugging different architectures (IA64, AMD64,x86) and the right environment to analyze the memory dump.

If you have a IA64 memory dump then you will have to use a IA64 architecture to analyze the memory dump.

If you have a 64 bit process memory dump (don´t confuse 64 bit process with 64 bit environment) then you will have to use a 64 bit environment to analyze the memory dump.

If you have a 32 bit process memory dump taken on a 32 bit environment then you can use a 32 bit or 64 bit debugger to analyze the memory dump.

What i want to talk about is when you take a 32 bit process memory dump in a 64 bit environment. When you do this you can actually use a 32 or 64 bit environment to do the analysis but if you are going to use a 32 bit environment there are some steps you need to be aware of.

When you look (using a 32 bit debugger) at a memory dump of a 32 bit process taken in a 64 bit environment you might find that almost all your threads look like the one below

 75 Id: 1028.848 Suspend: 0 Teb: 00000000`7ee74000 Unfrozen

RetAddr : Args to Child : Call Site

00000000`75863b06 : 00000023`77d1090d 00000000`00000023 00000000`00000202 00000000`1c23f7fc : wow64cpu!CpupSyscallStub+0x9

00000000`756eab46 : 00000000`77b50000 00000000`1715fd20 00000000`6262595c 00000000`1715f620 : wow64cpu!Thunk0ArgReloadState+0x1a

00000000`756ea14c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa

00000000`77bb73db : 00000000`00000000 00000000`00000000 00000000`7efdf000 00000000`00000000 : wow64!Wow64LdrpInitialize+0x4b4

00000000`77b785ce : 00000000`1715f620 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll!_LdrpInitialize+0x3edeb

00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe

 

What you are seeing is the subsystem the runs the 32 bit processes in 64 bit environment (more information on windows-on-windows at https://msdn.microsoft.com/en-us/library/aa384249(VS.85).aspx ). In order to see what you really want you can use .effmach to switch to a x86 mode. Below is an example of how to do this

0:000> .load wow64exts (loading the wow extension)

0:000> .effmach x86 (switch to x86 mode)

Effective machine: x86 compatible (x86)

 

After doing this if you issue a K command you will see the stack you want. You will also notice the x86 added to the prompt.

0:000:x86> k

ChildEBP RetAddr

0033f978 75f2dcea ntdll_77cf0000!ZwWaitForMultipleObjects+0x15

0033fa14 76dd8f76 kernel32!WaitForMultipleObjectsEx+0x11d

0033fa68 71588717 user32!RealMsgWaitForMultipleObjectsEx+0x14d

0033fa98 716b9071 MSO!MsgWaitForMultipleObjectsAlertable+0x3a

0033fabc 2fd5e803 MSO!MsoPWMsgWaitForMultipleObjectsEx+0x4f

 

This is very beautiful but (there is always one J) if you are troubleshooting a .NET issue and want to use SOS/PSSCOR extension you are going to have problems because SOS/PSSCOR doesn´t work with .effmach. (Sorry)

Have fun!!!

Bruno