我正在使用winDbg调试Windows 10(版本1809)上运行的wow64进程中的某些内核/用户空间问题。
当我切换到主机(正常的64位)模式时,一切都按预期工作,并且我可以看到线程内容:
32.0: kd:x86> !wow64exts.sw
Switched to Host mode
32.0: kd> !thread
THREAD ffffaf043002e080 Cid 1fdc.1744 Teb: 00000000002ca000 Win32Thread: ffffaf0431c83df0 RUNNING on processor 0
Not impersonating
DeviceMap ffffc18dfc3e77a0
Owning Process ffffaf042f00c580 Image: myProc.exe
Attached Process N/A Image: N/A
Wait Start TickCount 77352 Ticks: 1 (0:00:00:00.015)
Context Switch Count 211 IdealProcessor: 1
UserTime 00:00:00.015
KernelTime 00:00:00.421
Win32 Start Address 0x0000000000020000
Stack Init ffffd708131a7c10 Current ffffd708131a6b40
Base ffffd708131a8000 Limit ffffd708131a1000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
00000000`00a1fd8c 00020000`f40a8522 : cccccccc`00020000 00a1fe04`cccccccc 00a1fdbc`00a1fe04 00a1fdc8`00a1fdbc : MyDll!Init+0x280 [c:\projects\develop\source\MyDll.cpp @ 32]
00000000`00a1fd94 cccccccc`00020000 : 00a1fe04`cccccccc 00a1fdbc`00a1fe04 00a1fdc8`00a1fdbc cccccccc`00a1fdc8 : 0x00020000`f40a8522
00000000`00a1fd9c 00a1fe04`cccccccc : 00a1fdbc`00a1fe04 00a1fdc8`00a1fdbc cccccccc`00a1fdc8 00a1fe5c`00000000 : 0xcccccccc`00020000
00000000`00a1fda4 00a1fdbc`00a1fe04 : 00a1fdc8`00a1fdbc cccccccc`00a1fdc8 00a1fe5c`00000000 00000000`00824890 : 0x00a1fe04`cccccccc
00000000`00a1fdac 00a1fdc8`00a1fdbc : cccccccc`00a1fdc8 00a1fe5c`00000000 00000000`00824890 008248e4`00000000 : 0x00a1fdbc`00a1fe04
00000000`00a1fdb4 cccccccc`00a1fdc8 : 00a1fe5c`00000000 00000000`00824890 008248e4`00000000 00a1fec4`00a1fe70 : 0x00a1fdc8`00a1fdbc
00000000`00a1fdbc 00a1fe5c`00000000 : 00000000`00824890 008248e4`00000000 00a1fec4`00a1fe70 cccccccc`cccccccc : 0xcccccccc`00a1fdc8
00000000`00a1fdc4 00000000`00824890 : 008248e4`00000000 00a1fec4`00a1fe70 cccccccc`cccccccc cccccccc`cccccccc : 0x00a1fe5c`00000000
00000000`00a1fdcc 008248e4`00000000 : 00a1fec4`00a1fe70 cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : 0x824890
00000000`00a1fdd4 00a1fec4`00a1fe70 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : 0x008248e4`00000000
00000000`00a1fddc cccccccc`cccccccc : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : 0x00a1fec4`00a1fe70
00000000`00a1fde4 cccccccc`cccccccc : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc 00820000`00000000 : 0xcccccccc`cccccccc
00000000`00a1fdec cccccccc`cccccccc : cccccccc`cccccccc cccccccc`cccccccc 00820000`00000000 cccccccc`cccccccc : 0xcccccccc`cccccccc
00000000`00a1fdf4 cccccccc`cccccccc : cccccccc`cccccccc 00820000`00000000 cccccccc`cccccccc 00000000`cccccccc : 0xcccccccc`cccccccc
00000000`00a1fdfc cccccccc`cccccccc : 00820000`00000000 cccccccc`cccccccc 00000000`cccccccc cccccccc`00000007 : 0xcccccccc`cccccccc
00000000`00a1fe04 00820000`00000000 : cccccccc`cccccccc 00000000`cccccccc cccccccc`00000007 00830000`00000000 : 0xcccccccc`cccccccc
00000000`00a1fe0c cccccccc`cccccccc : 00000000`cccccccc cccccccc`00000007 00830000`00000000 cccccccc`cccccccc : 0x00820000`00000000
00000000`00a1fe14 00000000`cccccccc : cccccccc`00000007 00830000`00000000 cccccccc`cccccccc 00000000`cccccccc : 0xcccccccc`cccccccc
00000000`00a1fe1c cccccccc`00000007 : 00830000`00000000 cccccccc`cccccccc 00000000`cccccccc cccccccc`00000007 : 0xcccccccc
00000000`00a1fe24 00830000`00000000 : cccccccc`cccccccc 00000000`cccccccc cccccccc`00000007 00000000`cccccccc : 0xcccccccc`00000007
00000000`00a1fe2c cccccccc`cccccccc : 00000000`cccccccc cccccccc`00000007 00000000`cccccccc 008248e4`00a1fe5c : 0x00830000`00000000
00000000`00a1fe34 00000000`cccccccc : cccccccc`00000007 00000000`cccccccc 008248e4`00a1fe5c cccccccc`cccccccc : 0xcccccccc`cccccccc
00000000`00a1fe3c cccccccc`00000007 : 00000000`cccccccc 008248e4`00a1fe5c cccccccc`cccccccc 00000000`00000000 : 0xcccccccc
00000000`00a1fe44 00000000`cccccccc : 008248e4`00a1fe5c cccccccc`cccccccc 00000000`00000000 cccccccc`008248e4 : 0xcccccccc`00000007
00000000`00a1fe4c 008248e4`00a1fe5c : cccccccc`cccccccc 00000000`00000000 cccccccc`008248e4 00000000`00a1fecc : 0xcccccccc
00000000`00a1fe54 cccccccc`cccccccc : 00000000`00000000 cccccccc`008248e4 00000000`00a1fecc cccccccc`00820000 : 0x008248e4`00a1fe5c
00000000`00a1fe5c 00000000`00000000 : cccccccc`008248e4 00000000`00a1fecc cccccccc`00820000 cccccccc`cccccccc : 0xcccccccc`cccccccc
按预期,线程调用堆栈的组织不正确,因为进程在32位仿真器上运行,并且已以64位模式转储。
但是,当切换到wow64模式(!wow64exts.sw
)时,线程无法全部转储
32.0: kd:x86> !thread
3002e080: Unable to get thread contents
在!process
命令中也会发生相同的行为。
32.0: kd:x86> !process
Searching for Process with Cid == 2f00c580
2e4739d0: Unable to read list
Cannot resolve nt!_EPROCESS object type
知道为什么吗?
谢谢