找不到wow64!_TEB32

Question

我正在尝试分析wow64进程转储。问题是内存泄漏，所以我需要检查堆。我引用这篇文章来分析转储：

http://www.codeproject.com/Articles/31382/Memory-Leak-Detection-Using-Windbg。

0:000> .load wow64exts

0:000> !sw
Switched to 32bit mode


0:000:x86> !heap -s
NtGlobalFlag enables following debugging aids for new heaps:
    tail checking
    free checking
    validate parameters
LFH Key                   : 0x00000000072e0d1a
Termination on corruption : ENABLED
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast 
                    (k)     (k)    (k)     (k) length      blocks cont. heap 
-----------------------------------------------------------------------------
00000000001b0000 40000062    1024     32   1024      8     2     1    0      0      
0000000000320000 40001062   47808  45812  47808      7     8     7    0      0      
-----------------------------------------------------------------------------


0:000:x86>  !heap -stat -h 0000000000320000 
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: wow64!_TEB32                                  ***
***                                                                   ***
*************************************************************************
 heap @ 0000000000320000
group-by: TOTSIZE max-display: 20
    size     #blocks     total     ( %) (percent of total busy bytes)

找不到wow64!_TEB32，于是无法继续。有没有全身上下都能帮上忙的人？

Answer 1

首先，确保您的symbols are set up correctly，通常通过执行以下操作

.symfix c:\symbols
.reload

通常，对于32位应用程序，如果您不想调试WOW64层本身，则应该进行32位转储。

然而，在您的例子中(关于!heap命令)，您可以重复32位版本的WinDbg中的步骤，它也可以在64位Windows上运行，并且可以打开64位转储。