search

poizan42 / soswow64

windbg/dbgeng extension for debugging 64-bit dumps of 32-bit .NET processes.
Other
80 stars 11 forks source link

!clrstack command does not work. #4

Closed eternity1984 closed 5 years ago

eternity1984 commented 5 years ago

Many sos commands worked, but !clrstack command does not work.

Compiled x86 ver under .NET Framework 3.5 with VS2008.

  1. Run app(x86) in Windows 10 (x64, ver.1803)
  2. Open the taskmgr(x64) and create dump file.
  3. Open dump file using Windbg(x86, ver.6.11.0001.404)
  4. Run the following commands:
User Mini Dump File with Full Memory: Only application data is available

Executable search path is: 
Windows 7 Version 17134 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Fri May 31 10:20:32.000 2019 (GMT+9)
System Uptime: 15 days 6:17:10.492
Process Uptime: 0 days 0:03:13.000
................................................................
wow64cpu!TurboDispatchJumpAddressEnd+0x544:
00000000`77371e4c c3              ret

0:000> lmvm mscorwks
start             end                 module name
00000000`6d010000 00000000`6d5c0000   mscorwks   (deferred)             
    Image path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
    Image name: mscorwks.dll
    Timestamp:        Thu Mar 28 13:23:02 2019 (5C9C4C26)
    CheckSum:         005AF486
    ImageSize:        005B0000
    File version:     2.0.50727.8941
    Product version:  2.0.50727.8941
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® .NET Framework
    InternalName:     mscorwks.dll
    OriginalFilename: mscorwks.dll
    ProductVersion:   2.0.50727.8941
    FileVersion:      2.0.50727.8941 (WinRelRS4.050727-8900)
    FileDescription:  Microsoft .NET Runtime Common Language Runtime - WorkStation
    LegalCopyright:   © Microsoft Corporation.  All rights reserved.
    Comments:         Flavor=Retail

0:000> .exepath D:\analysis\x86\2.0.50727.8941
Executable image search path is: D:\analysis\x86\2.0.50727.8941
Expanded Executable image search path is: d:\analysis\x86\2.0.50727.8941

0:000> .cordll -ve -u -l
CLR DLL status: No load attempts

0:000> !wow64exts.sw
Switched to 32bit mode

0:000:x86> .loadby sos mscorwks

0:000:x86> .load D:\analysis\tools\soswow64\soswow64.dll
Successfully hooked IDebugControl::GetExecutingProcessorType.
Successfully patched DbgEng!X86MachineInfo::ConvertCanonContextToTarget.

0:000:x86> !threads
ThreadCount: 2
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
                                      PreEmptive   GC Alloc           Lock
       ID OSID ThreadOBJ    State     GC       Context       Domain   Count APT Exception
   0    1 3378 0000000000e30308      6020 Enabled  000000000305e2bc:000000000305e798 0000000000e2b258     0 STA
   5    2 31bc 0000000000e3d6e0      b220 Enabled  0000000000000000:0000000000000000 0000000000e2b258     0 MTA (Finalizer)

0:000:x86> !dso
OS Thread Id: 0x3378 (0)
ESP/REG  Object   Name
ebx      0000000003013ef8 System.Windows.Forms.Application+ThreadContext
esi      000000000305c3f4 System.Windows.Forms.Application+ComponentManager+ComponentHashtableEntry
edi      000000000305e298 System.Collections.Hashtable+HashtableEnumerator
0000000000b5f0b4 000000000305d1b0 System.Windows.Forms.NativeMethods+MSG[]
0000000000b5f0b8 0000000003013ef8 System.Windows.Forms.Application+ThreadContext
0000000000b5f0c0 000000000305c3ac System.Windows.Forms.Application+ComponentManager
0000000000b5f108 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f110 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f138 0000000003013ef8 System.Windows.Forms.Application+ThreadContext
0000000000b5f160 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f164 0000000003013ef8 System.Windows.Forms.Application+ThreadContext
0000000000b5f174 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f190 00000000030134c4 WindowsFormsApplication6.Form1
0000000000b5f194 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f198 0000000003013ef8 System.Windows.Forms.Application+ThreadContext
0000000000b5f1a4 000000000305726c System.Windows.Forms.ApplicationContext
0000000000b5f1bc 00000000030134c4 WindowsFormsApplication6.Form1

0:000:x86> !clrstack
OS Thread Id: 0x3378 (0)
Failed to start stack walk: 80070057

0:000:x86> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00b5f114 6b1f9c77 00000000 ffffffff 00000000 win32u!NtUserWaitMessage+0xc
00b5f16c 6b1f9ac1 0305726c 1e650002 00000000 System_Windows_Forms_ni+0x209c77
00b5f19c 6b1b6911 0305726c 00b5f1ec 00e30308 System_Windows_Forms_ni+0x209ac1
00b5f1c0 6d011b6c 007b2d4c 00000001 00b5f250 System_Windows_Forms_ni+0x1c6911
00b5f1d0 6d02854b 00b5f2a0 00000000 00b5f270 mscorwks+0x1b6c
00b5f250 6d0305eb 00b5f2a0 00000000 00b5f270 mscorwks+0x1854b
00b5f394 6d03061e 00dac020 00b5f460 00b5f42c mscorwks+0x205eb
00b5f3b0 6d03063c 00dac020 00b5f460 00b5f42c mscorwks+0x2061e
00b5f3c8 6d0f084d 00b5f42c 20818181 00000000 mscorwks+0x2063c
00b5f52c 6d0f076d 00da302c 00000001 00b5f568 mscorwks!GetPrivateContextsPerfCounters+0x345c2
00b5f794 6d0f0c8a 00000000 208188c9 00000001 mscorwks!GetPrivateContextsPerfCounters+0x344e2
00b5fc64 6d0f0e74 007b0000 00000000 20818819 mscorwks!GetPrivateContextsPerfCounters+0x349ff
00b5fcb4 6d0f0da4 007b0000 20818851 00000000 mscorwks!CorExeMain+0x168
00b5fcfc 7070d93b 74f50efa 71344e10 7070d8c0 mscorwks!CorExeMain+0x98
00b5fd3c 7133e8b9 71344e10 70700000 41d0f1e0 mscoreei!CorExeMain+0x7b
00b5fd50 71344e18 71344e10 74758494 00956000 mscoree!DllUnregisterServer+0x169
00b5fd6c 774641c8 00956000 96fc377c 00000000 mscoree!CorExeMain+0x8
00b5fdb4 77464198 ffffffff 7747f325 00000000 ntdll_77400000!RtlAreBitsSet+0x88
00b5fdc4 00000000 71344e10 00956000 00000000 ntdll_77400000!RtlAreBitsSet+0x58

Could you help me solve my problem?

poizan42 commented 5 years ago

Hmm, this is running under .net 2.0? I don't think I have ever tested it with anything older than 4.5. It may have something to do with the warning it usually gives about being unable to get stack limits from the TEB - I guess it is possible that it ends up getting the 64-bit TEB which won't work.

eternity1984 commented 5 years ago

@poizan42 Yes, my app is runnning under .NET 2.0. Umm, I wonder why..?? I'll continue to confirm the cause.

I've confirmed to works with under .NET 4.5. It's great works!! Thanks a lot :smile:

0:000:x86> !clrstack
OS Thread Id: 0x27d8 (0)
Child SP       IP Call Site
00b6f3bc 00a6e078 [InlinedCallFrame: 00b6f3bc] System.Windows.Forms.UnsafeNativeMethods.WaitMessage()
00b6f3b8 68b96f1e System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
00b6f444 68b96923 System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
00b6f494 68b96790 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
00b6f4c0 68b6b7a5 System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
00b6f4d4 0299048b WindowsFormsApp3.Program.Main() [D:\WindowsFormsApp3\Program.cs @ 19]
00b6f650 6b65ebe6 [GCFrame: 00b6f650]