I got a complicated crash dump: a (32 bit) program (C++) was written in Visual Studio 6 and executed on an 64 Bit machine. So, I got a 64 bit crash dump. Sadly, I havn't access to VS 6 (and I don't think VS6 can handle 64 bit). VS 2015 can not open this crash dump (32 Bit debugger can not debug 64 bit..), so I tried it with WinDBG (and my own dmp file viewer :).
Viewing the stack only shows only system addresses (0x7..).
Eg.:
. 0 Id: bdc.b40 Suspend: 0 Teb: 00000000`7efdb000 Unfrozen
Start: XXXX+0x4bf33d (00000000`008bf33d)
Priority: 2 Priority class: 128 Affinity: f
# Child-SP RetAddr Call Site
00 00000000`0008e2e8 00000000`73deaedc wow64win!NtUserGetMessage+0xa
01 00000000`0008e2f0 00000000`73e3d18f wow64win!whNtUserGetMessage+0x30
02 00000000`0008e350 00000000`73dc2776 wow64!Wow64SystemServiceEx+0xd7
03 00000000`0008ec10 00000000`73e3d286 wow64cpu!ServiceNoTurbo+0x2d
04 00000000`0008ecd0 00000000`73e3c69e wow64!RunCpuSimulation+0xa
05 00000000`0008ed20 00000000`77c7fb96 wow64!Wow64LdrpInitialize+0x42a
06 00000000`0008f270 00000000`77cdbd09 ntdll!LdrpInitializeProcess+0x17e3
07 00000000`0008f760 00000000`77c6a36e ntdll! ?? ::FNODOBFM::`string'+0x22a30
08 00000000`0008f7d0 00000000`00000000 ntdll!LdrInitializeThunk+0xe
There isn't even the entry point as listed above, in ThreadInfoListStream or
0:000> ~*
. 0 Id: bdc.b40 Suspend: 0 Teb: 00000000`7efdb000 Unfrozen
Start: XXXX+0x4bf33d (00000000`008bf33d)
Priority: 2 Priority class: 128 Affinity: f
[..]
What is wrong / where I'm wrong? What can I do to see the whole stack? Is there anywhere a help / guide how to unwind the Stack on my own (I'm able to load / read pdbs, I have access to the memory saved in the dump, I've already unencoded the main part of the TEB, ...).
Thanks
The .effmach command can be used to switch between architectures. It takes x86 or amd64 as an argument.
You can also load the wow64exts extension. It has a !sw command that toggles between the two modes.
Note how the command prompt and the output of k changes:
0:000> k
Child-SP RetAddr Call Site
00000000`006ee8e8 00000000`60db21ef wow64cpu!CpupSyscallStub+0xc
00000000`006ee8f0 00000000`60e5bfa1 wow64cpu!Thunk0Arg+0x5
00000000`006ee9a0 00000000`60e4cbb0 wow64!RunCpuSimulation+0xf311
00000000`006eea20 00007ff9`0bef2a11 wow64!Wow64LdrpInitialize+0x120
00000000`006eecd0 00007ff9`0bf289c6 ntdll!EtwEventProviderEnabled+0x1cb1
00000000`006ef0d0 00007ff9`0bed9fae ntdll!memset+0x1c006
00000000`006ef150 00000000`00000000 ntdll!LdrInitializeThunk+0xe
0:000> .load wow64exts
0:000> !sw
Switched to 32bit mode
0:000:x86> k
ChildEBP RetAddr
007eeebc 09ad86fe win32u!NtUserWaitMessage+0xc
WARNING: Frame IP not in any known module. Following frames may be wrong.
007eefd8 7303eaf6 0x9ad86fe
007eefe4 730470e9 clr!CallDescrWorkerInternal+0x34
007ef038 73047714 clr!CallDescrWorkerWithHandler+0x6b
007ef0a0 731dac11 clr!MethodDescCallSite::CallTargetWorker+0x16a
007ef1cc 731dad09 clr!RunMain+0x1ad