我需要WOW64转储进行GDI句柄分析吗? [英] Do I need a WOW64 dump for GDI Handle analysis?

问题描述

我正在调试潜在的GDI手柄泄漏.感谢 @Alois Kraus ，因此有了

I'm debugging a potential GDI Handle Leak. Thanks to @Alois Kraus, there is a WinDbg script which performs a handle count.

在我的调试会话中，尤其是.NET， ，我发现通常最好有32位进程的32位转储和64位进程的64位转储.

From my debugging sessions, especially for .NET, I find that usually, it's better to have 32-bit dumps of 32-bit processes and 64-bit dumps of 64-bit processes.

不幸的是，由于收到了2个崩溃转储，该脚本无法正常工作.深入研究它，我发现这些转储中的GdiSharedHandleTable是null:

Unfortunately, with 2 crash dumps I received, the script does not work. Looking deeper into it, I found out that the GdiSharedHandleTable is null in those dumps:

0:000> dt ntdll!_PEB GdiSharedHandleTable @$peb
   +0x094 GdiSharedHandleTable : (null) 

现在，在他的网站，阿洛瓦斯提到

Now, on his website, Alois mentions

重要提示:如果您在64位操作系统上运行，则即使调试32位应用程序，也需要附加64位Windbg！

Important: If you are running on a 64 bit OS you need to attach the 64-bit Windbg even if you debug a 32-bit application!

不幸的是，在32位故障转储上使用64位WinDbg并没有帮助.结果仍然相同.

Unfortunately, using 64-bit WinDbg on the 32-bit crash dump does not help. The result is still the same.

现在这是一种理论:

• 32位进程中的某些DLL是64位DLL(请参阅Windows Internals 5，第3章，系统机制"，第211页)
• ntdll是其中之一(在64位版本和32位版本中，它加载了两次)
• 尽管GDI对象是用户对象(而不是内核对象)，但它们仍需要由OS进行绘制等.因此，可能需要在WOW64层中对其进行管理
• 这意味着我必须具有WOW64故障转储才能使其正常工作

• some DLLs in a 32-bit process are 64 bit DLLs (see Windows Internals 5, Chapter 3, "System mechanisms," page 211)
• ntdll is one of them (it is loaded twice, in the 64-bit version and the 32-bit version)
• While GDI objects are user objects (and not kernel objects), they still need to be painted, etc. by the OS. Therefore it could be required that they are managed in the WOW64 layer
• This would mean that I have to have a WOW64 crash dump to make it work

所以我的问题是:在这里我很少遇到需要WOW64故障转储的情况吗?对我的理论进行更详细的解释会很好.如果某本书中已经有很好的解释，那么只需参考该章即可.如果我还没有的话，我会买.

So my question is: do I have the seldom case here that I need a WOW64 crash dump? A more detailed explanation of my theory would be great. If there's a good explanation in some book already, a reference to the chapter is enough. I'll buy it if I don't have it yet.

推荐答案

对于GDI句柄转储，即使它是Win64计算机上的32位进程，也需要进行64位转储.如果在64位计算机上进行32位转储，则指向GDI共享句柄表的指针为空.看来此信息仅是为64位转储捕获的.

For a GDI handle dump you need to take 64 bit dump even if it is a 32 bit process on a Win64 machine. If you take a 32 bit dump on a 64 bit machine the pointer to the GDI Shared handle table is null. It looks like this information is only captured for a 64 bit dump.

这很有意义，因为您需要在32位进程中处理64位指针，因为进程的GDI句柄表部分是从内核空间映射到地址空间的.我猜想这样做是为了与32位进程只包含相同位数的指针的规则保持一致.

That makes sense since you would need to deal with 64 bit pointers in a 32 bit process because the GDI handle table part of your process is mapped from the kernel space into your address space. I guess that was done to stay consistent with the rule that a 32 bit process should only contain pointers of the same bitness.

这篇关于我需要WOW64转储进行GDI句柄分析吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！