Debugging an x64 target with x86 WinDbg

WINDBG
1

Hi.

I’m attaching to an x64 Win7 target in a VM using x86 WinDbg on an x86 XP host machine. Here’s the log from the debugger:

*********************************************************************
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \.\pipe\com_1
Waiting to reconnect…
Connected to Windows 7 7600 x64 target at (Wed Feb 17 17:07:37.984 2010 (GMT+4)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: W:\P\head\protectdrive\release_x64\x64
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 7 Kernel Version 7600 MP (1 procs) Free x64
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff80002603000 PsLoadedModuleList = 0xfffff80002840e50
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for hal.dll -
hal!HalRegisterErrataCallbacks+0x3aee:
fffff800`02c2340a cc int 3
kd> g
The context is partially valid. Only x86 user-mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
6c531437 7175 jno 6c5314ae
32.kd:x86> g
*********************************************************************

This is what bothers me:
“The context is partially valid. Only x86 user-mode context is available.”

Particularly I’m interested in why it goes through some automatic context switch and can I even successfully debug my drivers in this way.

Thanks,
Martin

2

You can’t debug 64 bit user mode code with the x86 debugger.
You need to fix your symbols.
It looks like you hit a breakpoint in WOW64 which is user mode.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yandex.ru
Sent: Wednesday, February 17, 2010 9:40 AM
To: Kernel Debugging Interest List
Subject: [windbg] Debugging an x64 target with x86 WinDbg

Hi.

I’m attaching to an x64 Win7 target in a VM using x86 WinDbg on an x86 XP
host machine. Here’s the log from the debugger:

*********************************************************************
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c)
Microsoft Corporation. All rights reserved.

Opened \.\pipe\com_1
Waiting to reconnect…
Connected to Windows 7 7600 x64 target at (Wed Feb 17 17:07:37.984 2010
(GMT+4)), ptr64 TRUE Kernel Debugger connection established.
Symbol search path is: W:\P\head\protectdrive\release_x64\x64
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrnlmp.exe - Windows 7 Kernel Version 7600 MP (1 procs) Free x64 Built by:
7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff80002603000 PsLoadedModuleList = 0xfffff80002840e50
System Uptime: not available Break instruction exception - code 80000003
(first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
hal.dll -
hal!HalRegisterErrataCallbacks+0x3aee:
fffff800`02c2340a cc int 3
kd> g
The context is partially valid. Only x86 user-mode context is available.
WOW64 single step exception - code 4000001e (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
6c531437 7175 jno 6c5314ae
32.kd:x86> g
*********************************************************************

This is what bothers me:
“The context is partially valid. Only x86 user-mode context is available.”

Particularly I’m interested in why it goes through some automatic context
switch and can I even successfully debug my drivers in this way.

Thanks,
Martin

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Thanks for the reply!

I’m not doing a user mode debug, so how can I ignore that surprise WOW64 breakpoint and switch back into the previous context remaining attached to the system?

4

I don’t know why you hit the breakpoint. I have used the x86 debugger to
debug 64 bit Oses, including Server 2008 R2, without any problems. What
happened after you hit g?
You do need to fix your symbols.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yandex.ru
Sent: Wednesday, February 17, 2010 11:26 AM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Debugging an x64 target with x86 WinDbg

Thanks for the reply!

I’m not doing a user mode debug, so how can I ignore that surprise WOW64
breakpoint and switch back into the previous context remaining attached to
the system?

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Yeah, it turned out there was a 32bit Norton Antivirus installed in the VM snapshot I was using – quite a possible source of a first chance exception in WOW64. So I tried the same with a clean VM without any exceptions and context switches.

Yes, I know I have to fix my symbols; just trying to figure out if it’s possible to debug a 64bit system using a 32bit WinDbg.

Thanks for help!

6

That is only so for local user mode debugging. The 64-bit debuggers should work just fine debugging wow64 code over kd.

But first I’d fix symbols in this case.

  • S

-----Original Message-----
From: Bill Wandel
Sent: Wednesday, February 17, 2010 7:51
To: Kernel Debugging Interest List
Subject: RE: [windbg] Debugging an x64 target with x86 WinDbg

You can’t debug 64 bit user mode code with the x86 debugger.
You need to fix your symbols.
It looks like you hit a breakpoint in WOW64 which is user mode.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yandex.ru
Sent: Wednesday, February 17, 2010 9:40 AM
To: Kernel Debugging Interest List
Subject: [windbg] Debugging an x64 target with x86 WinDbg

Hi.

I’m attaching to an x64 Win7 target in a VM using x86 WinDbg on an x86 XP
host machine. Here’s the log from the debugger:


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c)
Microsoft Corporation. All rights reserved.

Opened \.\pipe\com_1
Waiting to reconnect…
Connected to Windows 7 7600 x64 target at (Wed Feb 17 17:07:37.984 2010
(GMT+4)), ptr64 TRUE Kernel Debugger connection established.
Symbol search path is: W:\P\head\protectdrive\release_x64\x64
Executable search path is:
 ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrnlmp.exe - Windows 7 Kernel Version 7600 MP (1 procs) Free x64 Built by:
7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff80002603000 PsLoadedModuleList = 0xfffff80002840e50
System Uptime: not available Break instruction exception - code 80000003
(first chance)
ERROR: Symbol file could not be found. Defaulted to export symbols for
hal.dll -
hal!HalRegisterErrataCallbacks+0x3aee:
fffff800`02c2340a cc int 3
kd> g
The context is partially valid. Only x86 user-mode context is available.
WOW64 single step exception - code 4000001e (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
6c531437 7175 jno 6c5314ae
32.kd:x86> g


This is what bothers me:
“The context is partially valid. Only x86 user-mode context is available.”

Particularly I’m interested in why it goes through some automatic context
switch and can I even successfully debug my drivers in this way.

Thanks,
Martin


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer