Applications running under WOW64 can be debugged two ways:
- Use an x86-hosted debugger such as NTSD, WinDbg, or Visual Studio. The 32-bit NTSD is installed to %systemroot%\syswow64 on retail installations. Note that x86 debuggers can be used to debug x86 code, but cannot be used to disassemble or set breakpoints within the WOW64 thunk layer because it is 64-bit native code.
- 使用x86-hosted debugger。注意:x86 debugger不能disassemble 或者在Wow64 的thunk layer中设置断点。
- Use a native debugger such as CDB, NTSD, or WinDbg and the WOW64 debugger extension, Wow64exts.dll. If the native debugger breaks while the processor is in x86 mode, the debugger presents the process as an x86 process. If the processor is in native mode, the debugger presents the process as native.
- 使用native debugger,或者Windbg+Wow64 extension.如果native debugger在处理器为x86模式时break了,debugger会将这个程序视为x86进程;如果处理器在native mode时,debugger将进程视为native的。
BTW: 这里的Native与X86相对应。如何分辨是Native的还是X86的:程序本身应该是x86还是x64的,应该预先就知道的,如果程序本身是x86的,在debugger break时出现了很多wow64cpu等类似的dll时,就表明它是在Native模式的,应该使用 !wow64exts.sw 切换模式。
The Wow64exts debugger extension is installed with WinDbg. Use the !load wow64exts command to load the debugger extension. The following table lists the !wow64exts debugger extension commands.
!wow64exts.sw
Switches between x86 and native mode.
!wow64exts.k count
Dumps a combined 32-bit/64-bit stack trace. If count is specified, the command dumps the first count addresses in each stack trace.
!wow64exts.info
Dumps basic information about the PEB of the process, the TEB of the current thread, and thread local storage (TLS) slots used by WOW64.
!wow64exts.r address
Dumps context for the specified address. If address is not specified, the command dumps context for the processor.