Raw Stack Dump of all threads (part 4)
The previously published script to dump raw stack of all threads dumps only 64-bit raw stack from 64-bit WOW64 process memory dumps (a 32-bit process saved in a 64-bit dump). In order to dump WOW64 32-bit raw stack from such 64-bit dumps we need another script. After I found a location of 32-bit TEB pointers (WOW64 TEB32) inside a 64-bit TEB structure I was able to create such a script:
0:000> .load wow64exts
0:000> !teb
Wow64 TEB32 at 000000007efdd000
Wow64 TEB at 000000007efdb000
ExceptionList: 000000007efdd000
StackBase: 000000000008fd20
StackLimit: 0000000000082000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000007efdb000
EnvironmentPointer: 0000000000000000
ClientId: 0000000000000f34 . 0000000000000290
RpcHandle: 0000000000000000
Tls Storage: 0000000000000000
PEB Address: 000000007efdf000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0
0:000:x86> !wow64exts.info
PEB32: 0x7efde000
PEB64: 0x7efdf000
Wow64 information for current thread:
TEB32: 0x7efdd000
TEB64: 0x7efdb000
32 bit, StackBase : 0×1a0000
StackLimit : 0×190000
Deallocation: 0xa0000
64 bit, StackBase : 0x8fd20
StackLimit : 0x82000
Deallocation: 0x50000
[...]
0:000:x86> dd 000000007efdd000 L4
7efdd000 0019fa84 001a0000 00190000 00000000
So the script obviously should be this:
~*e r? $t1 = ((ntdll!_NT_TIB *)@$teb)->ExceptionList; !wow64exts.info; dds poi(@$t1+8) poi(@$t1+4)
Before running it against a freshly opened user dump we need to execute the following commands first after setting symbols right:
.load wow64exts;
.effmach x86
I’ve also created a page to put all such scripts together:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -