an exception or a breakpoint comes from wow64.dll
来源:开发界
作者:admin
责任编辑:admin
[导读]Sometimes we get a process dump from x64 Windows and when we load it into WinDbg we get the output telling us that an exception or a breakpoint comes from wow64.dll.
Sometimes we get a process dump from x64 Windows and when we load it into WinDbg we get the output telling us that an exception or a breakpoint comes from wow64.dll. For example:
Loading Dump File [X:\ppid2088.dmp]User Mini Dump File with Full Memory: Only application data is available
Comment: 'Userdump generated complete user-mode minidump with Exception Monitor function on SERVER01'Symbol search path is: srv*c:\mss*/download/symbolsExecutable search path is:Windows Server 2003 Version 3790 (Service Pack 2) MP (4 procs) Free x64Product: Server, suite: TerminalServerDebug session time: Tue Sep& 4 13:36:14.000 2007 (GMT+2)System Uptime: 6 days 3:32:26.081Process Uptime: 0 days 0:01:54.000WARNING: tsappcmp overlaps ws2_32WARNING: msvcp60 overlaps oleaccWARNING: tapi32 overlaps rasapi32WARNING: rtutils overlaps rasmanWARNING: dnsapi overlaps rasapi32WARNING: wldap32 overlaps dnsapiWARNING: ntshrui overlaps userenvWARNING: wtsapi32 overlaps dnsapiWARNING: winsta overlaps setupapiWARNING: activeds overlaps rtutilsWARNING: activeds overlaps rasmanWARNING: adsldpc overlaps activedsWARNING: drprov overlaps apphelpWARNING: netui1 overlaps netui0WARNING: davclnt overlaps apphelp...This dump file has an exception of interest stored in it.The stored exception information can be accessed via .ecxr.(): Unknown exception - code
(first/second chance not available)wow64!Wow64NotifyDebugger+0&9:b1&&&&&&&&&&& mov&&&& al,1
Analysis shows that some run-time exception was raised but the stack trace shows only WOW64 CPU simulation code in all process threads:
0:000& !analyze -v**********************************************************&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& **&&&&&&&&&&&&&&&&& Exception Analysis&&&&&&&&&&&&&&&&&& **&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& **********************************************************
FAULTING_IP:kernel32!RaiseException+`7d4e2366 5e&&&&&&&&&&&&& pop&&&& rsi
EXCEPTION_RECORD:& ffffffffffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: e2366 (kernel32!RaiseException+0x0053)&& ExceptionCode: & ExceptionFlags: NumberParameters: 0
DEFAULT_BUCKET_ID:& STACK_CORRUPTION
PROCESS_NAME:& App.exe
ERROR_CODE: (NTSTATUS) 0x6d9 - There are no more endpoints available from the endpoint mapper.
NTGLOBALFLAG:& 0
APPLICATION_VERIFIER_FLAGS:& 0
LAST_CO***OL_TRANSFER:& from 64f2 to 6369
FOLLOWUP_IP:wow64!Wow64NotifyDebugger+b1&&&&&&&&&&& mov&&&& al,1
SYMBOL_STACK_INDEX:& 0
SYMBOL_NAME:& wow64!Wow64NotifyDebugger+9
FOLLOWUP_NAME:& MachineOwner
MODULE_NAME: wow64
IMAGE_NAME:& wow64.dll
DEBUG_FLR_IMAGE_TIMESTAMP:& 45d6943d
FAULTING_THREAD:& 2fe4
PRIMARY_PROBLEM_CLASS:& STACK_CORRUPTION
BUGCHECK_STR:& APPLICATION_FAULT_STACK_CORRUPTION
STACK_COMMAND:& ~0s; . dt ntdll!LdrpLastDllInitializer BaseDllN dt ntdll!LdrpFailureD kb
FAILURE_BUCKET_ID:& X64_APPLICATION_FAULT_STACK_CORRUPTION_wow64!Wow64NotifyDebugger+9
BUCKET_ID:& X64_APPLICATION_FAULT_STACK_CORRUPTION_wow64!Wow64NotifyDebugger+9
Followup: MachineOwner---------
0:000& ~*k
Suspend: 1 Teb: efdb000 UnfrozenChild-SP&&&&&&&&& RetAddr&&&&&&&&&& Call Site6e190 b0064f2 wow64!Wow64NotifyDebugger+0x16e1c0 b006866 wow64!Wow64KiRaiseException+0x`c7d wow64!Wow64SystemServiceEx+0xd16edf0 b006a5a wow64cpu!ServiceNoTurbo+0x`e0d wow64!RunCpuSimulation+0xa6eeb0 ed8030 wow64!Wow64LdrpInitialize+0x2ed6f3f0 ed582f ntdll!LdrpInitializeProcess+0x` ef30a5 ntdll!LdrpInitialize+0x18f6f7d0 d4d1510 ntdll!KiUserApcDispatcher+0x`0016fcc8 00000 kernel32!BaseProcessStartThunk6fcd0 6fcd8 6fce0 6fce8 6fcf0 6fcf8 6fd00 6fd08 07`fd10 6fd18
&& 1& Id: c Suspend: 1 Teb: efd8000 UnfrozenChild-SP&&&&&&&&& RetAddr&&&&&&&&&& Call Site0f0d8 b006a5a wow64cpu!WaitForMultipleObjects32+0x3a0f180 b005e0d wow64!RunCpuSimulation+0xa0f1b0 f109f0 wow64!Wow64LdrpInitialize+0x2ed0f6f0 ef30a5 ntdll!LdrpInitialize+0x2aa0f7d0 d4d1504 ntdll!KiUserApcDispatcher+0x`0200fcc8 00000 kernel32!BaseThreadStartThunk0fcd0 0fcd8 0fce0 0fce8 0fcf0 0fcf8 0fd00 x00fd08 2f`fd10 0fd18 0fd20 0fd28 0fd30 0fd38
Suspend: 1 Teb: efd5000 UnfrozenChild-SP&&&&&&&&& RetAddr&&&&&&&&&& Call Site2e7c8 b29c464 wow64win!ZwUserGetMessage+0xa2e7d0 b006866 wow64win!whNtUserGetMessage+0x`c7d wow64!Wow64SystemServiceEx+0xd72f0f0 b006a5a wow64cpu!ServiceNoTurbo+0x`e0d wow64!RunCpuSimulation+0xa2f1b0 f109f0 wow64!Wow64LdrpInitialize+0x2ed2f6f0 ef30a5 ntdll!LdrpInitialize+0x2aa2f7d0 d4d1504 ntdll!KiUserApcDispatcher+0x`0272fcc8 00000 kernel32!BaseThreadStartThunk2fcd0 2fcd8 2fce0 2fce8 2fcf0 2fcf8 2fd00 2fd08 03`fd10 2fd18 2fd20
Suspend: 1 Teb: efad000 UnfrozenChild-SP&&&&&&&&& RetAddr&&&&&&&&&& Call Site9f108 b84191 wow64cpu!CpupSyscallStub+0x89f110 b006a5a wow64cpu!Thunk2ArgNSpNSpReloadState+0x`e0d wow64!RunCpuSimulation+0xa9f1b0 f109f0 wow64!Wow64LdrpInitialize+0x2ed9f6f0 ef30a5 ntdll!LdrpInitialize+0x2aa9f7d0 d4d1504 ntdll!KiUserApcDispatcher+0x`0289fcc8 00000 kernel32!BaseThreadStartThunk9fcd0 9fcd8 9fce0 9fce8 9fcf0 9fcf8 9fd00 x89fd08 2f`fd10 9fd18 9fd20 9fd28 9fd30
Suspend: 1 Teb: efa4000 UnfrozenChild-SP&&&&&&&&& RetAddr&&&&&&&&&& Call Sitedef0a8 b006a5a wow64cpu!RemoveIoCompletionFault+0x`02def180 b005e0d wow64!RunCpuSimulation+0xadef1b0 f109f0 wow64!Wow64LdrpInitialize+0x2eddef6f0 ef30a5 ntdll!LdrpInitialize+0x2aadef7d0 d4d1504 ntdll!KiUserApcDispatcher+0x`02defcc8 00000 kernel32!BaseThreadStartThunkdefcd0 defcd8 defce0 defce8 defcf0 defcf8 defd00 xdefd08 2f`0000`02defd10 defd18 defd20 defd28 defd30 defd38
This is a clear indication that the process was in fact 32-bit but the dump is 64-bit. This situation is depicted in one of my earlier posts last year:
Dumps, Debuggers and Virtualization
and we need a debugger plugin to understand virtualized CPU architecture:
Dumps, Debuggers and Virtualization refined
This crash dump pattern can be called Virtualized Process. In our case we need to load wow64exts.dll WinDbg extension and set the target processor mode to x86 by using .effmach command
0:000& .load wow64exts0:000& .effmach x86Effective machine: x86 compatible (x86)
Then analysis gives us more meaningful results:
0:000:x86& !analyze -v**********************************************************&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& **&&&&&&&&&&&&&&& Exception Analysis&&&&&&&&&&&&&&&&&&&& **&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& **********************************************************
FAULTING_IP:kernel32!RaiseException+`7d4e2366 5e&&&&&&&&&&&&& pop&&&& esi
EXCEPTION_RECORD:& ffffffffffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: e2366 (kernel32!RaiseException+0x0053)&& ExceptionCode: & ExceptionFlags: NumberParameters: 0
BUGCHECK_STR:& 6d9
DEFAULT_BUCKET_ID:& APPLICATION_FAULT
PROCESS_NAME:& App.exe
ERROR_CODE: (NTSTATUS) 0x6d9 - There are no more endpoints available from the endpoint mapper.
NTGLOBALFLAG:& 0
APPLICATION_VERIFIER_FLAGS:& 0
LAST_CO***OL_TRANSFER:& from da4a631 to e2366
STACK_TEXT:da4a631
00000 kernel32!RaiseException+0xa4 7da4a5f7
0012ddc4 0012dda0 rpcrt4!RpcpRaiseException+0xb4 7dacda00 4a860 rpcrt4!NdrGetBuffer+0x460012dda0 5f2a2fba 5ff2ddc4 rpcrt4!NdrClientCall2+0x1970012ddbc 5f29c6a6 00 hnetcfg!FwOpenDynamicFwPort+0x1ddba860 00002 hnetcfg!IcfOpenDynamicFwPort+0x6ac043db 2df4c
mswsock!WSPBind+0x2e3WARNING: Frame IP not in any known module. Following frames may be wrong.ed91c8 2df4c
ws2_32+0x43dbed0 00000 rasapi32+0x491c8ed997c 00 rasapi32+0xdfc0 76ed8ac2 c225f8 02c22688 rasapi32+0xdfd4 76ed89cd 02c225f8 02c22ce8 02c22f38 rasapi32+0x48ac20012dff0 76ed82e5 02c226b2 02c22f38
rasapi32+0x489cded827f 02c225f8 02c22ce8 02c22f38 rasapi32+0x482eed8bf0 02c225f8 00000 rasapi32+0xc8 76ed844d 02c225f8 00000 rasapi32+0x48bfed74b5 f58 rasapi32+0x0 76ed544f 02c21f58 c21f58 rasapi32+0x474bed944d f58 rasapi32+0xc 76ed93a4 00 rasapi32+0x8 76ed505f 02c22c9c 00000 rasapi32+0x493a40012e2bc 7db442bf 02c22c9c 00000 rasapi32+0xec 7dbc9c 00000 mswsock!SaBlob_Query+0x2ddb00
mswsock!Rnr_DoDnsLookup+0xf 71c06dc0 02c22c38 2e680 mswsock!Dns_NSPLookupServiceNext+0x24b 71c06da0 c22c38
ws2_32+0x6dc00012e5fc 71c06d6a e680 ws2_32+0x6dac06d08
2e680 ws2_32+0x6d6acd8 2e680 ws2_32+0x6d 71c07f68 ef74 ws2_32+0x 71cc98 2ef74 ws2_32+0x7f680012efa0 71cc98 00000 ws2_32+0x 71cc98 2f148 ws2_32+0xbc 7dab22fb
2f148 ws2_32+0xc 7dab3a0e 6fff0 0026836c rpcrt4!IP_ADDRESS_RESOLVER::NextAddress+0x13edab3c11 272f38
rpcrt4!TCPOrHTTP_Open+0xdbda44c85 271d38 00272f38 rpcrt4!TCP_Open+0xb8 7da44b53 71d38 00272f38 rpcrt4!OSF_CCONNECTION::TransOpen+0x5eda447d7 0026fff0 000dbba0
rpcrt4!OSF_CCONNECTION::OpenConnectionAndBind+0xbeda00 00000 rpcrt4!OSF_CCALL::BindToServer+0xfada3a9df 00 rpcrt4!OSF_BINDING_HANDLE::InitCCallWithAssociation+0xf4 7da3a8dd 2f480
rpcrt4!OSF_BINDING_HANDLE::AllocateCCall+0x49dda37a1c 2f4ac
rpcrt4!OSF_BINDING_HANDLE::NegotiateTransferSyntax+0x2edaf480 2f460 rpcrt4!I_RpcGetBufferWithObject+0x5bda37bff 2f86c 0012f84c rpcrt4!I_RpcGetBuffer+0xfdacac 26fff0 rpcrt4!NdrGetBuffer+0x2e6f41f1 766f24e8 766f423a 0012f86c rpcrt4!NdrClientCall2+0x 766f40b8 0026fff0 2f8e4 ntdsapi!_IDL_DRSBind+0x1cd8ecaa2 002788bc 00000 ntdsapi!DsBindWithSpnExW+0xb0 7d8ed028 64f90
secur32!SecpTranslateName+0x1f 064f90 00002 secur32!TranslateNameW+0x2d0012fab4 2a85e4 0012fc94 afec94eb App+0x34aa041a61b afec9443 ffffffff 00463fb8 App+0x19a7f0012fbc0
ffffffff 4188f3 App+0x1a61b0012fbc8 4188f3 afec93eb ffffffff App+0x5a2930012fbcc
afec93eb ffffffff 00463fb0 App+0xf 9c085 04645 App+0x188f3
STACK_COMMAND:& kb
FOLLOWUP_IP:hnetcfg!FwOpenDynamicFwPort+1df2a2fba 83c40c&&&&&&&&& add&&&& esp,0Ch
SYMBOL_STACK_INDEX:& 4
SYMBOL_NAME:& hnetcfg!FwOpenDynamicFwPort+1d
FOLLOWUP_NAME:& MachineOwner
MODULE_NAME: hnetcfg
IMAGE_NAME:& hnetcfg.dll
DEBUG_FLR_IMAGE_TIMESTAMP:& 45d6cc2a
FAULTING_THREAD:& 2fe4
FAILURE_BUCKET_ID:& X64_6d9_hnetcfg!FwOpenDynamicFwPort+1d
BUCKET_ID:& X64_6d9_hnetcfg!FwOpenDynamicFwPort+1d
Followup: MachineOwner---------
0:000:x86& ~*k
Suspend: 1 Teb: efdb000 UnfrozenChildEBP&&&&&&&&& RetAddrda4a631 kernel32!RaiseException+0xa4 7da4a5f7 rpcrt4!RpcpRaiseException+0xb4 7dac0140 rpcrt4!NdrGetBuffer+0x460012dda0 5f2a2fba rpcrt4!NdrClientCall2+0x1970012ddbc 5f29c6a6 hnetcfg!FwOpenDynamicFwPort+0x1ddb4291f hnetcfg!IcfOpenDynamicFwPort+0x6ac043db mswsock!WSPBind+0x2e3WARNING: Frame IP not in any known module. Following frames may be wrong.ed91c8 ws2_32+0x43dbed9128 rasapi32+0x491c8ed997c rasapi32+0xdfc0 76ed8ac2 rasapi32+0xdfd4 76ed89cd rasapi32+0x48ac20012dff0 76ed82e5 rasapi32+0x489cded827f rasapi32+0x482eed8bf0 rasapi32+0xc8 76ed844d rasapi32+0x48bfed74b5 rasapi32+0x0 76ed544f rasapi32+0x474bed944d rasapi32+0xc 76ed93a4 rasapi32+0x4944d
&& 1& Id: c Suspend: 1 Teb: efd8000 UnfrozenChildEBP&&&&&&&&& RetAddr01fcfea4 7d63f501 ntdll_7d600000!NtWaitForMultipleObjects+0x1501fcff48 7d63f988 ntdll_7d600000!EtwpWaitForMultipleObjectsEx+0xf701fcffb8 7d4dfe21 ntdll_7d600000!EtwpEventPump+0x27f01fcffec
kernel32!BaseThreadStart+0x34
Suspend: 1 Teb: efd5000 UnfrozenChildEBP&&&&&&&&& RetAddr026eff50 0042f13b user32!NtUserGetMessage+0x15WARNING: Stack unwind information not available. Following frames may be wrong.026effb8 7d4dfe21 App+0x2f13b026effec
kernel32!BaseThreadStart+0x34
Suspend: 1 Teb: efad000 UnfrozenChildEBP&&&&&&&&& RetAddr0285ffa0 7d634d69 ntdll_7d600000!ZwDelayExecution+0x150285ffb8 7d4dfe21 ntdll_7d600000!RtlpTimerThread+0x470285ffec
kernel32!BaseThreadStart+0x34
Suspend: 1 Teb: efa4000 UnfrozenChildEBP&&&&&&&&& RetAddr02daff80 7db4b6c6 ntdll_7d600000!NtRemoveIoCompletion+0x1502daffb8 7d4dfe21 mswsock!SockAsyncThread+0x6902daffec
kernel32!BaseThreadStart+0x34
本站地址：
版权所有：转载请注明出处！
1[05-24]2[05-24]3[05-24]4[05-23]5[05-23]6[05-29]7[05-29]8[05-29]9[05-29]10[05-29]
1[08-27]2[08-27]3[08-27]4[08-27]5[08-27]6[08-27]7[08-27]8[08-27]9[08-27]10[08-27]
Docker公司近日开放了拥有同一源代码的三个组件的..
·········
最近在看数据库方面的内容，总结了一下程序中获取..
·········您所在的位置： &
在Ubuntu Linux系统下用Wine玩魔兽世界
在Ubuntu Linux系统下用Wine玩魔兽世界
利用Linux下的Wine，我们可以在Linux下运行大部分的主流游戏，当然包括WOW(魔兽世界)。
游戏环境：ubuntu 6.06 p4 2.4g 726m scim输入法 nvidia mx 440 wine 9.21
1.***显卡驱动(不是基于debian的发行版请去相关网站查询下怎么***显卡驱动)
首先，现确定自己显卡驱动***好没有
运行glxinfo | grep rendering
如果显示"direct rendering: Yes"，则已***。
不然的话：
nvidia显卡:
sudo apt-get install nvidia-glx
sudo nvidia-glx-config enable
nvidia-settings
ait 显卡(未验证):
sudo apt-get install xorg-driver-fglrx
sudo dpkg-reconfigure xserver-xorg
当提示选择一个驱动时，选择 fglrx
2.设定管理员密码(似乎只有ubuntu没有默认的root用户)
sudo passwd root
3.***编译环境(请按照不同发行版自己***)
首先，是基本编译器(似乎只有ubuntu是默认不带这个的-____-)
sudo apt-get install build-essential
其次，***flex和bison
sudo apt-get install flex bison
然后***X 11 库文件
(wine的readme是这么说的，called xlib6g-dev in Debian and XFree86-devel in Red Hat)
sudo apt-get install xlibs-dev
(这个取决于你的发行版本，反正是opengl的lib文件，提供opengl的支持的)
sudo apt-get install libartsc0 libartsc0-dev libgl1-mesa-dev
最后，***字体包
sudo apt-get install ftgl-dev fontforge
4.下载Wine源代码
在SF.net的wine下载页面
下载 wine-0.9.21.tar.bz2
然后解压缩
wow-patch-0.9.21.patch
x11drv_fbconfig_fix-0001.bin
然后放到wine源代码解压缩的目录。
然后用终端进入你放源代码的目录（比如cd ~/Desktop/wine-0.9.21）
屏幕上会显示如下的
The text leading up to this was:
--------------------------
|--- dlls/winex11.drv/opengl.c
18:57: 01. +0200
|+++ dlls/winex11.drv/opengl.c
18:57:17. +0200
--------------------------
File to patch:
按着他的提示，输入dlls/winex11.drv/opengl.c（在这里不能用tab自动完成的）
如果你是ait的显卡，还要patch -p1
在终端中进入tools目录（比如cd tools）
bash wineinstall
等待系统自己进行设置
然后会出现
We need to install wine as root user, do you want us to build wine,
'su root' and install Wine? Enter 'no' to continue without installing
看看系统提示说缺少什么包。
没什么问题的话，输入yes,就开始漫长的编译了。
编译完毕，还会叫你以root身份登录，进行最后的设置。
7.运行EasyWine
(在找到对应你版本的EasyWine***方法)
下载EasyWine
然后在终端里:
进入你放Easywine的地方(比如cd Desktop)
bash EasyWine3RC2.sh
然后安提示输入
***完毕后，关闭再重新打开终端，输入EasyWine,设置虚拟c盘，路径留空，然后选择初始化wine设置。
EasyWine设置结束。
8.设置输入法
在SCIM的选项里，前端-&全局设置里，取消掉"将预编辑字符串嵌入如到客户窗口中"
就能在wine模拟的wow里正常进行中文输入了
1..如果你是在windows***的游戏，那么
wine /media/hdax/（你的魔兽目录）/WoW.exe -opengl -nosound 就可以游戏了
2.如果你要在ubuntu里***游戏，那么直接wine***文件。***后的文件在主文件夹的.wine/dosdevices里。 .wine是隐藏文家夹，要在根目录下按CTRL+h才能看到。
【相关文章】
【责任编辑： TEL：（010）3】
关于&&&&的更多文章
Linux系统的魅力之一就是你可以直接从终端使用命令行来管理整个
讲师： 42人学习过讲师： 38人学习过讲师： 12人学习过
Nagios是一个流行的电脑系统和网络监控程序，能监视所
Zabbix能监视各种网络参数，保证服务器系统的安全运营
性能监测是系统优化过程中重要的一环，如果没有监测、
本书是数据库系统方面的经典教材之一。国际上许多著名大学包括斯坦福大学、耶鲁大学、得克萨斯大学、康奈尔大学、伊利诺伊大学、
51CTO旗下网站