首页 > 编程语言 >Windbg分析 64位系统抓32位程序的DUMP

Windbg分析 64位系统抓32位程序的DUMP

时间:2023-01-19 12:45:18浏览次数:60  
标签:XXXX Windbg DUMP 00000000 Threadpool Ukn Preemptive 64 00fdd4d0

当你在64位Windows系统上抓32位进程的dmup文件时
如果用的是64位任务管理器那么在用Windbg加载后要用!wow64exts.sw切换到X86模式下.
如果不想做这步切换 就要用32位的任务管理器来生成dmp文件。

32位任务管理器在C:\Windows\SysWOW64\Taskmgr.exe 


 

The version of SOS does not match the version of CLR you are debugging

分析dump文件时,由于客户生产环境与分析dump文件的环境不一致,常常会出现下面的错误

The version of SOS does not match the version of CLR you are debugging. Please
load the matching version of SOS for the version of CLR you are debugging.
CLR Version: 4.0.30319.34209
SOS Version: 4.7.2650.0

问题原因:客户生产环境的net版本是4.0.30319.34209,但分析环境的net版本是4.7.2650.0,二个环境的版本不一致。

解决方案:从客户生产环境(C:\Windows\Microsoft.NET\Framework64\v4.0.30319)拷贝这clr.dll,mscordacwks.dll,SOS.dll 这三个组件

替换到分析环境Symbol File Path路径,重新打开windbg,就正常了。


以上方法不行 就用WINDBG 32位版 试试

 


以上方法不行 用这里的方式试试 https://github.com/poizan42/soswow64
On a 64-bit Windows installation is it possible to make both 32-bit and 64-bit dumps of
32-bit processes.
The task manager will create a 64-bit dump, which therefore is often what you end up with
users sending you. This is not a problem for native executeables since you can still load
it in windbg and use the !wow64exts.sw extension to switch into the 32-bit view.

However if your process is a .NET process and you want to use SoS to investigate it then
you are out of luck, you'll just get the message
"SOS does not support the current target architecture."

This extension gets around this by hooking/patching functions in dbgeng.dll so that SoS
thinks it's working with a 32-bit dump.

** Usage **
Copy soswow64.dll into the "winxp" subfolder of windbg. Then after loading a 64-bit memory
dump of a 32-bit process you can simply load the extension:

0:000> .load soswow64
Successfully hooked IDebugControl::GetExecutingProcessorType.
Successfully patched DbgEng!X86MachineInfo::ConvertCanonContextToTarget.

Example:

0:000> .loadby sos clr
0:000> !wow64exts.sw
Switched to 32bit mode
0:000:x86> !threads
SOS does not support the current target architecture.
0:000:x86> .load soswow64
Successfully hooked IDebugControl::GetExecutingProcessorType.
Successfully patched DbgEng!X86MachineInfo::ConvertCanonContextToTarget.
0:000:x86> !threads
ThreadCount:      16
UnstartedThread:  0
BackgroundThread: 4
PendingThread:    0
DeadThread:       11
Hosted Runtime:   no
                                                                         Lock  
       ID OSID ThreadOBJ    State GC Mode     GC Alloc Context  Domain   Count Apt Exception
   0    1 318c 00fe9d58   202a020 Preemptive  029CD30C:00000000 00fdd4d0 0     MTA 
   2    2 5858 00ff78c8     2b220 Preemptive  00000000:00000000 00fdd4d0 0     MTA (Finalizer) 
XXXX    3    0 00fd63b8   8039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Completion Port) 
   3    5 1ddc 01045c68   8029220 Preemptive  00000000:00000000 00fdd4d0 0     MTA (Threadpool Completion Port) 
XXXX    6    0 01046c18   8039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Completion Port) 
XXXX    7    0 010857c8   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX    8    0 01089a20   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX    9    0 0108b300   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   10    0 0108ceb8   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   12    0 0109d418   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   13    0 0109dc38   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   14    0 010b2b10   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   15    0 01084b98   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
XXXX   16    0 010be6b0   1039820 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
   4   18 5b88 01032318   1020220 Preemptive  00000000:00000000 00fdd4d0 0     Ukn (Threadpool Worker) 
   5   20 192c 0102ee48   202b220 Preemptive  029CE75C:00000000 00fdd4d0 0     MTA 

标签:XXXX,Windbg,DUMP,00000000,Threadpool,Ukn,Preemptive,64,00fdd4d0
From: https://www.cnblogs.com/ioriwellings/p/17061310.html

相关文章

  • imagemagick:图片的纵向及横向拼接(ImageMagick 6.9.12-64)
    一,图片横向拼接:说明:+append横向把多张图片拼接在一起,可以多于2张,图片按上边缘对齐,最后一个参数是目标图片例如:[lhdop@blogimg3]$convert+appendfendou.jpeghd......
  • 微信小程序 wx.previewImage()(传入base64数据)
    场景应用微信小程序使用wx.previewImage()浏览图片,但是后台传过来的是base64数据。思路先把base64作为临时文件存到本地,然后预览,预览结束时删除临时文件//获取应用实......
  • x64 windows 8 下无法安装QQ2012
    安装好windows8后,应用商店中居然有QQ,很是激动,于是下载安装.安装完成后发现功能有限,于是上QQ官方网站下载QQ2012版,安装完成后,运行提示错误,无法运行.具体错误内容忘了,......
  • tcpdump
    一.网址参考1. 抓包神器:tcpdump!我还真没用过2. Linuxtcpdump命令详解3. Tcpdump命令参数详解......
  • LeetCode Top 100 Liked Questions 64. Minimum Path Sum (Java版; Medium)
    ​​welcometomyblog​​LeetCodeTop100LikedQuestions64.MinimumPathSum(Java版;Medium)题目描述Givenamxngridfilledwithnon-negativenumbers,fi......
  • ubuntu移植Tcpdump到Android平台
    方式一。手动编译参考这里https://www.jianshu.com/p/aca8345dc7fb注意要将文件复制到Ubuntu系统里的目录,不要用挂载目录执行。方式二。搜索androidtcpdumpbinary......
  • JS二进制:File、Blob、FileReader、ArrayBuffer、Base64
    JavaScript提供了一些API来处理文件或原始文件数据,例如:File、Blob、FileReader、ArrayBuffer、base64等。  Blob全称为binarylargeobject,即二进制大对象,它是......
  • CF1364C-Ehab and Prefix MEXs
    a[i]<=i,否则当a[i]>i时,需要1~i项有数字0~a[i]-1,这一共是a[i]个数字,而1~i项只有i个数字,需要的比拥有的数字多,不成立当a[i]!=a[i-1]时,说明Mex改变了,那么需要b[i]为a[i-1]才......
  • IDA Pro x64 反编译
    强大的静态反编译工具IDAPro上链接:http://sd.downxia.com/down/idapropjb.rar?key=2a7f8f40c7d9562d1bd832299040d9d1&uskey=1516d886918b2fdd593b0d599e74b2a93776af05......
  • CVE-2022-46463复现文章
    本文来自博客YX'BLOGhttp://535yx.cnHarbor是为企业用户设计的容器镜像仓库开源项目,包括了权限管理(RBAC)、LDAP、审计、安全漏洞扫描、镜像验真、管理界面、自我注册......