Search This Blog

Thursday 11 September 2014

WinDbg : How to Debug a 32 bit Executable in A 64 bit debugger (wow64exts)

WinDbg : wow64exts


We often run 32 bit processes on 64 bit windows OS. Such processes are run through Windows On Windows (WoW). However, debugging dumps of such processes might pose certain problems. It is always advisable to use the 32 vbit version of WinDbg to debug the 32 bit process. However, at times when the 32 bit debugger is not available and we still want to debug a 32 bit process we need to tell the debugger that. If we don't, then the wow64 specific stack traces might show up and this might get confusing and at times, even misleading.





0:000> .load wow64exts
0:000> .chain
Extension DLL search Path:
    C:\WinDDK\7600.16385.1\Debuggers\WINXP;C:\WinDDK\7600.16385.1\Debuggers\winext;C:\WinDDK\7600.16385.1\Debuggers\winext\arcade;C:\WinDDK\7600.16385.1\Debuggers\pri;C:\WinDDK

\7600.16385.1\Debuggers;C:\WinDDK\7600.16385.1\Debuggers\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files 

(x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL 

Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files\Perforce;C:\Program Files\Collaborator Client
Extension DLL chain:
    dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 01:45:44 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\dbghelp.dll]
    ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 01:45:46 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\winext\ext.dll]
    wow64exts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 01:45:14 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\WINXP\wow64exts.dll]
    exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 01:45:38 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\WINXP\exts.dll]
    uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 01:45:36 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\winext\uext.dll]
    ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 01:45:18 2010
        [path: C:\WinDDK\7600.16385.1\Debuggers\WINXP\ntsdexts.dll]

Wow64 has it's own hel section, which can be accessed with the help command. As shown below.

0:000> !wow64exts.help

Wow64 debugger extension commands: 

sw:            Switch between 32-bit and 64-bit mode
k <count>:     Combined 32/64 stack trace
info:          Dumps information about some important wow64 structures
r [addr]:      Dumps x86 CONTEXT
lf:            Dump/Set log flags
l2f:           Enable logging to file


Using the sw switch we can switch between the 32 and 64 bit modes.


0:000> !wow64exts.sw
Switched to 32bit mode

No comments:

Post a Comment