调试wow64进程

当使用64位debugger调试wow64进程时，cpu context默认为64位，这是查看wow64进程调用栈时，会发现只有64位调用栈，而没有32位调用栈，例如查看32位notepad进程在64位Windows上的主线程调用栈：

fffff880`0382b740 fffff800`03eea992: nt!KiSwapContext+0x7afffff880`0382b880 fffff800`03ee9eaa: nt!KiCommitThreadWait+0x1d2fffff880`0382b910 fffff800`041dbccf: nt!KeWaitForMultipleObjects+0x272fffff880`0382bbd0 fffff800`0420a08d: nt!ObpWaitForMultipleObjects+0x294fffff880`0382c0a0 fffff800`03ee48d3: nt!NtWaitForMultipleObjects32+0xecfffff880`0382c2f0 00000000`74cf2e09: nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0382c360)00000000`0014dd18 00000000`74cf283e: wow64cpu!CpupSyscallStub+0x900000000`0014dd20 00000000`74d6d07e: wow64cpu!WaitForMultipleObjects32+0x3b00000000`0014dde0 00000000`74d68a40: wow64!RunCpuSimulation+0xa00000000`0014de30 00000000`74d3a154: wow64!Wow64KiUserCallbackDispatcher+0x20400000000`0014e180 00000000`771e1225: wow64win!whcbClientWaitMessageExMPH+0x5800000000`0014eb30 00000000`74cf2e09: ntdll!KiUserCallbackDispatcherContinue (TrapFrame @ 00000000`0014e9f8)00000000`0014eb98 00000000`74cf2dbf: wow64cpu!CpupSyscallStub+0x900000000`0014eba0 00000000`74d6d07e: wow64cpu!Thunk0Arg+0x500000000`0014ec60 00000000`74d6c549: wow64!RunCpuSimulation+0xa00000000`0014ecb0 00000000`771d4956: wow64!Wow64LdrpInitialize+0x42900000000`0014f200 00000000`771d1a17: ntdll!LdrpInitializeProcess+0x17e400000000`0014f6f0 00000000`771bc32e: ntdll! ?? ::FNODOBFM::`string'+0x2922000000000`0014f760 00000000`00000000: ntdll!LdrInitializeThunk+0xe

为了看到32位调用栈，我们必须采用以下步骤：

1. load the wow64exts.dll debugger extension (.load wow64exts)

kd> .load wow64exts

2. 检查当前cpu context是否为64位，若不是，切换至64位 (.effmach amd64)

kd:x86> .effmach amd64Effective machine: x64 (AMD64)

3. 执行.thread /r /p /w fffffa800a69a910 命令

kd> .thread /r /p /w fffffa800a69a910Loading User Symbols.....Loading Wow64 Symbols.........................x86 context set

4. 查看线程栈 (执行k命令)

kd:x86> kChildEBP RetAddr0022fd34 75f07ebd USER32!NtUserGetMessage+0x150022fd50 00b7148a USER32!GetMessageW+0x330022fd90 00b716ec notepad!WinMain+0xe60022fe20 74db3677 notepad!__mainCRTStartup+0x1400022fe2c 77199d72 kernel32!BaseThreadInitThunk+0xe0022fe6c 77199d45 ntdll_77160000!__RtlUserThreadStart+0x700022fe84 00000000 ntdll_77160000!_RtlUserThreadStart+0x1bkd:x86> .effmach amd64Effective machine: x64 (AMD64)kd> $ Notice the 32-bit ntdll.dll is loaded into the WOW64 process address spacekd> lmv m ntdll_77160000Image path: C:\Windows\SysWOW64\ntdll.dll

NOTE:

1. .thread /w command to set the current thread context and load the WOW64 symbols.

2. .thread command needs to be run from the 64-bit thread context in the debugger for it to successfully decode the WOW64 symbols

3. if you ever have to use a 64-bit user-mode debugger to debug a WOW64 process, you can use that command to switch the CPU context as needed so that you can view the 32-bit user-mode stack.