Jump to content
  • Advertisement
Sign in to follow this  
Idov

Wow64cpu module

This topic is 2501 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi!
I have a process which debugs another 32bit process on windows7 (x64).
I paused the debugged process and watched it using ProcessMonitor.
In ProcessMonitor, on the top of the stack i see a method from wow64cpu.dll but my debugged process doesn't load this DLL!

I even wrote a litlle program in C# to show me what modules are loaded, and this DLL is not loaded.

How can the debbuged process use a method from that DLL>

what is going on??? :(

Share this post


Link to post
Share on other sites
Advertisement
[color=#222222][font=arial, sans-serif][size=2]WOW64 == Windows 32-bit on Windows 64-bit

[/font]
[color=#222222][font=arial, sans-serif][size=2]Nothing is going on. Just ignore it! (It's the mechanism with which windows x64 emulates the 32bit DLL's required for the 32bit process). [/font]

Share this post


Link to post
Share on other sites

[color="#222222"][font="arial, sans-serif"]WOW64 == Windows 32-bit on Windows 64-bit

[/font]
[color="#222222"][font="arial, sans-serif"]Nothing is going on. Just ignore it! (It's the mechanism with which windows x64 emulates the 32bit DLL's required for the 32bit process). [/font]



Ok, I want to ignore it. :)
But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.
Is it even possible getting the information about this module (base address and size) if it isn't really even loaded?

Share this post


Link to post
Share on other sites

But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.
No you don't, because there aren't any.

You're not understanding, think of the wow64cpu dll as the emulator that allows your code to run. A program can't see into it's emulator.

Share this post


Link to post
Share on other sites

[quote name='Idov' timestamp='1323456580' post='4892280']
But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.
No you don't, because there aren't any.

You're not understanding, think of the wow64cpu dll as the emulator that allows your code to run. A program can't see into it's emulator.
[/quote]

what? wait...

Maybe there aren't any addresses from this module in the callstack (I suppose I really didn't see any in the callstack), but my EIP register of my debugged process' thread DOES point at an instruction in wow64cpu :)
Did you mean that I can't get the information about wow64cpu?

Share this post


Link to post
Share on other sites
Think of it this way: if you took a digital logic analyzer and pointed it at the right spot on your CPU while executing a program, you could see the microcode instructions being shuffled around. Does this mean you can debug the microcode layer of the CPU circuit from your assembly language program?

Share this post


Link to post
Share on other sites
ok, so how can "ProcessHacker" or "ProcessExplorer" display stack frames from this wow64cpu?

Share this post


Link to post
Share on other sites
On 64-bit computers, Process Explorer is a 64-bit program so it exists outside the 'emulator' and can see into it.

To get the full user-mode call stack of a WoW64 thread, call GetThreadContext and StackWalk64(IMAGE_FILE_MACHINE_X64, ...) (for the 64-bit code), then call Wow64GetContextThread and StackWalk64(IMAGE_FILE_MACHINE_I386, ...) (for the 32-bit code)

To get the kernel side stacks that Process Explorer also displays requires a driver and peeking into documented-but-not-officially-so structures.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!