How can I dump 32-bit structs in 64-bit WinDbg?

StackOverflow https://stackoverflow.com/questions/22813909

  •  26-06-2023
  •  | 
  •  

Question

I am using 64-bit WinDbg to dump struct information, and am trying to dump 32-bit struct information.

I start WinDbg, choose File > Kernel Debug and start a Local session. Then I dump a struct:

lkd> dt nt!_LIST_ENTRY
    +0x000 Flink            : Ptr64 _LIST_ENTRY
    +0x008 Blink            : Ptr64 _LIST_ENTRY

As expected, this shows the 64-bit struct information.

I understand that I can debug remote systems or analyze crash dumps, as long as I load the correct symbols for those Windows versions.

It tried to set the .effmach to x86, as was hinted in this comment, but I still get the 64-bit struct:

lkd> .effmach x86
Effective machine: x86 compatible (x86)
lkd:x86> .symfix
lkd:x86> .reload
Connected to Windows 7 7601 x64 target at (date), ptr64 TRUE
Loading Kernel Symbols
...............................................................
.................................................................
Loading User Symbols
..........................................
Loading unloaded module list
......
lkd> dt nt!_LIST_ENTRY
    +0x000 Flink            : Ptr64 _LIST_ENTRY
    +0x008 Blink            : Ptr64 _LIST_ENTRY`

As you can see, this is not the 32-bit _LIST_ENTRY struct, but the 64-bit struct we already saw above.

My question: Is it possible to dump 32-bit struct information in a 64-bit WinDbg, without a remote 32-bit system and without a 32-bit crash dump?

Was it helpful?

Solution

No, there is no way to do what you're trying to do. Kernel mode code on the x64 on Windows is always 64-bit and uses 64-bit structures, so the 32-bit type information is not present.

OTHER TIPS

Have you checked this link

This may help!

EDIT : Adding some more detail.

Well I agree with snoone that if you are debugging a 64 bit kernel. The entire address space is in 64 bit. Hence all kernel mode structures will only be 64 bit.

Now, the reason I posted the link above is : that if you want to debug 32 bit apps [i.e. WoW apps] running on a 64 bit machine, then apart from .effmatch x86 tried by you there is another extension you can try. That is : !wow64exts.sw

So wanted to introduce the wow64exts extension, which I found very helpful to remove the clutter when dealing with 32 bit stuff on a 64 bit OS!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top