当你在64位Windows系统上抓32位进程的dmup文件时
如果用的是64位任务管理器那么在用Windbg加载后要用!wow64exts.sw切换到X86模式下.
如果不想做这步切换 就要用32位的任务管理器来生成dmp文件。
32位任务管理器在C:\Windows\SysWOW64\Taskmgr.exe
0:000> !wow64exts.sw
Switched to 32bit mode
0:000:x86> .load F:\Yangl\2023\01\jxc\SOS.dll
The call to LoadLibrary(F:\Yangl\2023\01\jxc\SOS.dll) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
0:000:x86> .loadby sos clr
0:000:x86> !clrstack
OS Thread Id: 0x690 (0)
Unable to walk the managed stack. The current thread is likely not a
managed thread. You can run !threads to get a list of managed threads in
the process
Failed to start stack walk: 80070057
0:000:x86> !eeheap -gc;
The version of SOS does not match the version of CLR you are debugging. Please
load the matching version of SOS for the version of CLR you are debugging.
CLR Version: 4.8.4110.0
SOS Version: 4.8.4220.0
The garbage collector data structures are not in a valid state for traversal.
It is either in the "plan phase," where objects are being moved around, or
we are at the initialization or shutdown of the gc heap. Commands related to
displaying, finding or traversing objects as well as gc heap segments may not
work properly. !dumpheap and !verifyheap may incorrectly complain of heap
consistency errors.
Number of GC Heaps: 4
------------------------------
Heap 0 (00000000011c6808)
generation 0 starts at 0x00000000f6931200
0:000:x86> !dumpheap -stat; The version of SOS does not match the version of CLR you are debugging. Please load the matching version of SOS for the version of CLR you are debugging. CLR Version: 4.8.4110.0 SOS Version: 4.8.4220.0 Error requesting heap segment 0000000088010000 Failed to retrieve segments for gc heap Unable to build snapshot of the garbage collector state 0:000:x86> .load F:\Yangl\2023\01\jxc\sos.dll 0:000:x86> .loadby sos clr 0:000:x86> !clrstack OS Thread Id: 0x690 (0) Unable to walk the managed stack. The current thread is likely not a managed thread. You can run !threads to get a list of managed threads in the process Failed to start stack walk: 80070057 0:032:x86> !dumpheap -stat; Error requesting heap segment 0000000088010000 Failed to retrieve segments for gc heap Unable to build snapshot of the garbage collector state
0:000:x86> .load F:\Yangl\2023\01\jxc\SOS.dll The call to LoadLibrary(F:\Yangl\2023\01\jxc\SOS.dll) failed, Win32 error 0n2 "系统找不到指定的文件。" Please check your debugger configuration and/or network access. 0:000:x86> .load F:\Yangl\2023\12 慧威DUMP\SOS.dll The call to LoadLibrary(F:\Yangl\2023\12 慧威DUMP\SOS.dll) failed, Win32 error 0n2 "系统找不到指定的文件。" Please check your debugger configuration and/or network access. 0:000:x86> .load sos The call to LoadLibrary(sos) failed, Win32 error 0n2 "系统找不到指定的文件。" Please check your debugger configuration and/or network access. 0:000:x86> .load C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll 0:000:x86> .chain Extension DLL search Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\arcade;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\pri;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\Users\bosd\AppData\Local\Dbg\EngineExtensions32;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\Program Files\Java\jdk1.8.0_66\bin;C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\iCLS\;C:\Program Files\Intel\Intel(R) Management Engine Components\iCLS\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn\;C:\Users\bosd\.dnx\bin;C:\Program Files\Microsoft DNX\Dnvm\;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files (x86)\GitExtensions\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files (x86)\MATLAB\MATLAB Runtime\v90\runtime\win32;C:\Program Files\IDM Computer Solutions\UltraEdit;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin;E:\Program Files (x86)\QuickTime\QTSystem\;C:\Program Files\dotnet\;C:\Program Files\Microsoft SQL Server\150\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\;f:\InPlantSCADA;f:\InPlantSCADA\SCDatabase\;C:\Program Files\Git\cmd;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools;E:\Program Files (x86)\Microsoft Visual Studio\VC98\bin;C:\Users\bosd\AppData\Local\Microsoft\WindowsApps;F:\Users\bosd\Downloads\opencv\build\x64\vc14\bin;e:\Users\bosd\AppData\Local\Programs\Fiddler;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin;F:\Yangl\药械\公用组件\Debug;F:\Yangl\药械\公用组件\Release;C:\Users\bosd\.dotnet\tools Extension DLL chain: C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll: image 4.8.4220.0, API 1.0.0, built Tue Jul 7 06:46:12 2020 [path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll] wow64exts: image 10.0.22621.755, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\wow64exts.dll] ELFBinComposition: image 10.0.22621.755, API 0.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\ELFBinComposition.dll] dbghelp: image 10.0.22621.755, API 10.0.6, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbghelp.dll] exts: image 10.0.22621.755, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\exts.dll] uext: image 10.0.22621.755, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\uext.dll] ntsdexts: image 10.0.22621.755, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\ntsdexts.dll] 0:000:x86> !adress -summary No export adress found 0:000:x86> !address -summary Mapping file section regions... Mapping module regions... Mapping PEB regions... Mapping TEB and stack regions... Mapping heap regions... Mapping page heap regions... Mapping other regions... Mapping stack trace database regions... Mapping activation context regions... --- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal <unknown> 788 ca998000 ( 3.166 GB) 90.79% 79.14% Free 346 20da0000 ( 525.625 MB) 12.83% Image 1933 db93000 ( 219.574 MB) 6.15% 5.36% Heap32 88 4a0f000 ( 74.059 MB) 2.07% 1.81% Stack32 187 1080000 ( 16.500 MB) 0.46% 0.40% Stack64 186 f80000 ( 15.500 MB) 0.43% 0.38% Other 14 1c9000 ( 1.785 MB) 0.05% 0.04% Heap64 3 90000 ( 576.000 kB) 0.02% 0.01% TEB64 62 7c000 ( 496.000 kB) 0.01% 0.01% TEB32 62 3e000 ( 248.000 kB) 0.01% 0.01% Other32 1 1000 ( 4.000 kB) 0.00% 0.00% PEB64 1 1000 ( 4.000 kB) 0.00% 0.00% PEB32 1 1000 ( 4.000 kB) 0.00% 0.00% --- Type Summary (for busy) ------ RgnCount ----------- Total Size -------- %ofBusy %ofTotal MEM_PRIVATE 849 ced2a000 ( 3.232 GB) 92.69% 80.79% MEM_IMAGE 2355 f1ab000 ( 241.668 MB) 6.77% 5.90% MEM_MAPPED 48 11e8000 ( 17.906 MB) 0.50% 0.44% --- State Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal MEM_COMMIT 2737 cbc93000 ( 3.184 GB) 91.32% 79.61% MEM_FREE 420 20f33000 ( 527.199 MB) 12.87% MEM_RESERVE 515 1342a000 ( 308.164 MB) 8.63% 7.52% --- Protect Summary (for commit) - RgnCount ----------- Total Size -------- %ofBusy %ofTotal PAGE_READWRITE 1123 bc488000 ( 2.942 GB) 84.38% 73.55% PAGE_EXECUTE_READ 279 ba69000 ( 186.410 MB) 5.22% 4.55% PAGE_READONLY 650 2848000 ( 40.281 MB) 1.13% 0.98% PAGE_WRITECOPY 521 12e3000 ( 18.887 MB) 0.53% 0.46% PAGE_EXECUTE_READWRITE 40 141000 ( 1.254 MB) 0.04% 0.03% PAGE_READWRITE | PAGE_GUARD 124 136000 ( 1.211 MB) 0.03% 0.03% --- Largest Region by Usage ----------- Base Address -------- Region Size ---------- <unknown> 10040000 11ef2000 ( 286.945 MB) Free f2970000 3fc0000 ( 63.750 MB) Image 6ab42000 f59000 ( 15.348 MB) Heap32 6e40000 800000 ( 8.000 MB) Stack32 31b0000 7c000 ( 496.000 kB) Stack64 70000 39000 ( 228.000 kB) Other 660000 181000 ( 1.504 MB) Heap64 236000 7a000 ( 488.000 kB) TEB64 ffe5e000 2000 ( 8.000 kB) TEB32 ffe60000 1000 ( 4.000 kB) Other32 11e0000 1000 ( 4.000 kB) PEB64 fffdf000 1000 ( 4.000 kB) PEB32 fffde000 1000 ( 4.000 kB) 0:000:x86> !ao SOS does not support the current target architecture. 0:000:x86> !clrstack SOS does not support the current target architecture. 0:000:x86> .load F:\Yangl\2023\01\soswow64.dll Successfully hooked IDebugControl::GetExecutingProcessorType. Failed patching DbgEng!X86MachineInfo::ConvertCanonContextToTarget, stack related commands may not work correctly. 0:000:x86> !ao There was no managed OOM due to allocations on the GC heap 0:000:x86> !dumpheap -stat The garbage collector data structures are not in a valid state for traversal. It is either in the "plan phase," where objects are being moved around, or we are at the initialization or shutdown of the gc heap. Commands related to displaying, finding or traversing objects as well as gc heap segments may not work properly. !dumpheap and !verifyheap may incorrectly complain of heap consistency errors. Object <exec cmd="!ListNearObj /d 10041000">10041000</exec> has an invalid method table.
The version of SOS does not match the version of CLR you are debugging
分析dump文件时,由于客户生产环境与分析dump文件的环境不一致,常常会出现下面的错误
The version of SOS does not match the version of CLR you are debugging. Please
load the matching version of SOS for the version of CLR you are debugging.
CLR Version: 4.0.30319.34209
SOS Version: 4.7.2650.0
问题原因:客户生产环境的net版本是4.0.30319.34209,但分析环境的net版本是4.7.2650.0,二个环境的版本不一致。
解决方案:从客户生产环境(C:\Windows\Microsoft.NET\Framework64\v4.0.30319)拷贝这clr.dll,mscordacwks.dll,SOS.dll 这三个组件
替换到分析环境Symbol File Path路径,重新打开windbg,就正常了。
以上方法不行 就用WINDBG 32位版 试试
以上方法不行 用这里的方式试试,下载DLL https://github.com/poizan42/soswow64 此方法可用,我用WINDBG32位下成功。
0:000> .load C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll 0:000> !t SOS does not support the current target architecture. 0:000> .loadby sos clr 0:000> !wow64exts.sw Switched to Guest (WoW) mode 0:000:x86> !threads SOS does not support the current target architecture. 0:000:x86> .load F:\Yangl\2023\01\soswow64.dll Successfully hooked IDebugControl::GetExecutingProcessorType. Failed patching DbgEng!X86MachineInfo::ConvertCanonContextToTarget, stack related commands may not work correctly. 0:000:x86> !t ThreadCount: 90 UnstartedThread: 0 BackgroundThread: 42 PendingThread: 0 DeadThread: 48 Hosted Runtime: no Lock ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception 10 1 1c5c 028d1678 28220 Preemptive 00000000:00000000 028cd0f0 0 Ukn 21 2 17b0 029037e0 2b220 Preemptive 00000000:00000000 028cd0f0 0 MTA (Finalizer)
On a 64-bit Windows installation is it possible to make both 32-bit and 64-bit dumps of
32-bit processes.
The task manager will create a 64-bit dump, which therefore is often what you end up with
users sending you. This is not a problem for native executeables since you can still load
it in windbg and use the !wow64exts.sw extension to switch into the 32-bit view.
However if your process is a .NET process and you want to use SoS to investigate it then
you are out of luck, you'll just get the message
"SOS does not support the current target architecture."
This extension gets around this by hooking/patching functions in dbgeng.dll so that SoS
thinks it's working with a 32-bit dump.
** Usage **
Copy soswow64.dll into the "winxp" subfolder of windbg. Then after loading a 64-bit memory
dump of a 32-bit process you can simply load the extension:
0:000> .load soswow64
Successfully hooked IDebugControl::GetExecutingProcessorType.
Successfully patched DbgEng!X86MachineInfo::ConvertCanonContextToTarget.
Example:
0:000> .loadby sos clr
0:000> !wow64exts.sw
Switched to 32bit mode
0:000:x86> !threads
SOS does not support the current target architecture.
0:000:x86> .load soswow64
Successfully hooked IDebugControl::GetExecutingProcessorType.
Successfully patched DbgEng!X86MachineInfo::ConvertCanonContextToTarget.
0:000:x86> !threads
ThreadCount: 16
UnstartedThread: 0
BackgroundThread: 4
PendingThread: 0
DeadThread: 11
Hosted Runtime: no
Lock
ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
0 1 318c 00fe9d58 202a020 Preemptive 029CD30C:00000000 00fdd4d0 0 MTA
2 2 5858 00ff78c8 2b220 Preemptive 00000000:00000000 00fdd4d0 0 MTA (Finalizer)
XXXX 3 0 00fd63b8 8039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Completion Port)
3 5 1ddc 01045c68 8029220 Preemptive 00000000:00000000 00fdd4d0 0 MTA (Threadpool Completion Port)
XXXX 6 0 01046c18 8039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Completion Port)
XXXX 7 0 010857c8 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 8 0 01089a20 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 9 0 0108b300 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 10 0 0108ceb8 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 12 0 0109d418 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 13 0 0109dc38 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 14 0 010b2b10 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 15 0 01084b98 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
XXXX 16 0 010be6b0 1039820 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
4 18 5b88 01032318 1020220 Preemptive 00000000:00000000 00fdd4d0 0 Ukn (Threadpool Worker)
5 20 192c 0102ee48 202b220 Preemptive 029CE75C:00000000 00fdd4d0 0 MTA
使用 Windows 调试器调试托管代码
可以使用 WinDbg Windows CDB (NTSD) 调试包含托管代码的目标应用程序。 若要调试托管代码,必须加载 SOS 调试扩展插件 (sos.dll) 和数据访问组件 (mscordacwks.dll) 。
这些Windows调试器独立于Visual Studio器。 有关调试器与 Windows 调试器Visual Studio的信息,请参阅 Windows 调试。
托管代码简介
托管代码与 CLR Microsoft .NET公共语言运行时 (一) 。 在托管代码应用程序中,编译器生成的二进制代码是 Microsoft 中间语言 (MSIL) ,与平台无关。
运行托管代码时,运行时生成特定于平台的本机代码。 从 MSIL 生成本机代码的过程称为实时 (JIT) 编译。 JIT 编译器为特定方法编译 MSIL 后,该方法的本机代码将保留在内存中。 以后调用此方法时,将执行本机代码,并且无需涉及 JIT 编译器。
可以使用由各种软件生成者制造的几个编译器来生成托管代码。 具体而言,Microsoft Visual Studio使用托管扩展从多种语言(包括 C#、Visual Basic、JScript 和 C++)生成托管代码。
每次更新 CLR 时,.NET Framework更新。 例如,版本 2.0、3.0 和 3.5 .NET Framework都使用 CLR 版本 2.0。 下表显示了每个版本所使用 CLR 的版本和文件名.NET Framework。
| .NET Framework 版本 | CLR 版本 | CLR 文件名 |
|---|---|---|
| 1.1 | 1.1 | mscorwks.dll |
| 2.0 | 2.0 | mscorwks.dll |
| 3.0 | 2.0 | mscorwks.dll |
| 3.5 | 2.0 | mscorwks.dll |
| 4.0 | 4.0 | clr.dll |
| 4.5 | 4.0 | clr.dll |
调试托管代码
若要调试托管代码,调试器必须加载这两个组件。
- 数据访问组件 (DAC) (mscordacwks.dll)
- SOS 调试扩展 (sos.dll)
注意对于所有版本的 .NET Framework,DAC 的文件名是mscordacwks.dll,SOS 调试扩展的文件名是sos.dll。
获取 SOS 调试扩展 (sos.dll)
SOS 调试扩展插件 (sos.dll) 文件未包含在当前版本的调试工具中Windows。
对于.NET Framework 2.0 及更高版本,sos.dll包含在 .NET Framework 安装中。
对于版本 1。x .NET Framework,sos.dll不包括在 .NET Framework 安装中。 若要获取 sos.dll 1 .NET Framework。x,下载适用于 Windows 的 Windows 7 调试工具的 32 位Windows。
Windows 7 Windows 7 调试工具包含在 Windows SDK for Windows 7 中,可在以下两处获得:
如果运行的是 x64 版本的 Windows,请使用 ISO,以便可以指定需要 32 位版本的 SDK。 Sos.dll仅包含在 Windows 7 调试工具的 32 位Windows。
加载mscordacwks.dllsos.dll (实时调试)
假设调试器与正在调试的应用程序在同一计算机上运行。 然后.NET Framework应用程序使用的驱动程序将安装在计算机上,并且可供调试器使用。
调试器必须加载与托管代码应用程序使用的 CLR 版本相同的 DAC 版本。 32 (64 位或 64 位的) 也必须匹配。 DAC (mscordacwks.dll) 随附.NET Framework。 若要加载正确版本的 DAC,请将调试器附加到托管代码应用程序,然后输入此命令。
.cordll -ve -u -l
输出应与此类似。
CLRDLL: Loaded DLL C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll
CLR DLL status: Loaded DLL C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll
若要验证 mscordacwks.dll是否与应用程序使用的 CLR 版本匹配,请输入以下命令之一以显示有关加载的 CLR 模块的信息。
lmv mclr (CLR 版本 4.0)
lmv mscorwks (CLR 版本 1.0 或 2.0)
输出应与此类似。
start end module name
000007ff`26710000 000007ff`2706e000 clr (deferred)
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
...
在上一示例中,请注意 CLR (clr.dll) 的版本与 DAC (mscordacwks.dll 版本匹配) v4.0.30319。 另请注意,这两个组件都是 64 位。
使用 .cordll 加载 DAC 时,SOS 调试扩展 (sos.dll) 可能会自动加载。 如果sos.dll加载,可以使用以下命令之一来加载它。
.loadby sos clr ( CLR 版本 4.0)
.loadby sos mscorwks (1.0 或 2.0 版 CLR)
作为使用 .loadby 的替代方法,可以使用 .load。 例如,若要加载 64 位 CLR 的版本 4.0,可以输入与此类似的命令。
.load C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll
请注意,在以上输出中,SOS 调试扩展 (sos.dll) 的版本与 CLR 版本和 DAC:v4.0.30319 匹配。 另请注意,所有三个组件都是 64 位。
南来地,北往的,上班的,下岗的,走过路过不要错过!
======================个性签名=====================
之前认为Apple 的iOS 设计的要比 Android 稳定,我错了吗?
下载的许多客户端程序/游戏程序,经常会Crash,是程序写的不好(内存泄漏?刚启动也会吗?)还是iOS本身的不稳定!!!
如果在Android手机中可以简单联接到ddms,就可以查看系统log,很容易看到程序为什么出错,在iPhone中如何得知呢?试试Organizer吧,分析一下Device logs,也许有用.
