Udostępnij za pośrednictwem


Setting debugger target architecture: .effmach

Sometimes, you may find dumps with callstacks that point to the wow64 thunks with little else of value.  For example:

 0:000> k
 # Child-SP RetAddr Call Site
00 00000000`0063e958 00000000`6c8d210d wow64cpu!<redacted>+0xc 
01 00000000`0063e960 00000000`6c88bfa1 wow64cpu!<redacted>+0xc 
02 (Inline Function) --------`-------- wow64!<redacted>+0xd 
03 00000000`0063ea10 00000000`6c87cbb0 wow64!<redacted>+0xf311 
04 00000000`0063ea90 00007ffd`d1ef2a11 wow64!<redacted>+0x120 
05 00000000`0063ed40 00007ffd`d1f28986 ntdll!LdrpInitializeProcess+0x1551 
06 00000000`0063f140 00007ffd`d1ed9fae ntdll!_LdrpInitialize+0x4e982 
07 00000000`0063f1c0 00000000`00000000 ntdll!LdrInitializeThunk+0xe

When this is encountered, it means your debugger is interpreting the data streams with the wrong processor architecture.  Simply set it to the target architecture (x86), and you'll start to see the expected callstacks:

 0:000>  .effmach x86
Effective machine: x86 compatible (x86)
0:000:x86> kpnL
 # ChildEBP RetAddr 
00 0067f8cc 763c2e1a ntdll_77130000!NtDelayExecution(void)+0xc
01 0067f934 763c2d7f KERNELBASE!SleepEx(unsigned long dwMilliseconds = 0x1, int bAlertable = 0n0)+0x8a
02 0067f944 006c58b0 KERNELBASE!Sleep(unsigned long dwMilliseconds = 0x1)+0xf
03 0067fa44 006b6762 foo_6a0000!<redacted>
04 0067fb44 006b6f22 foo_6a0000!<redacted>
05 0067fbc0 73f462c4 foo_6a0000!<redacted>
06 0067fbd4 77190fd9 kernel32!BaseThreadInitThunk(<redacted>)+0x24
07 0067fc1c 77190fa4 ntdll_77130000!__RtlUserThreadStart(<redacted>)+0x2f
08 0067fc2c 00000000 ntdll_77130000!_RtlUserThreadStart(<redacted>)+0x1b