How can I dump 32-bit structs in 64-bit WinDbg?

2
votes

I am using 64-bit WinDbg to dump struct information, and am trying to dump 32-bit struct information.

I start WinDbg, choose File > Kernel Debug and start a Local session. Then I dump a struct:

lkd> dt nt!_LIST_ENTRY
    +0x000 Flink            : Ptr64 _LIST_ENTRY
    +0x008 Blink            : Ptr64 _LIST_ENTRY

As expected, this shows the 64-bit struct information.

I understand that I can debug remote systems or analyze crash dumps, as long as I load the correct symbols for those Windows versions.

It tried to set the .effmach to x86, as was hinted in this comment, but I still get the 64-bit struct:

lkd> .effmach x86
Effective machine: x86 compatible (x86)
lkd:x86> .symfix
lkd:x86> .reload
Connected to Windows 7 7601 x64 target at (date), ptr64 TRUE
Loading Kernel Symbols
...............................................................
.................................................................
Loading User Symbols
..........................................
Loading unloaded module list
......
lkd> dt nt!_LIST_ENTRY
    +0x000 Flink            : Ptr64 _LIST_ENTRY
    +0x008 Blink            : Ptr64 _LIST_ENTRY`

As you can see, this is not the 32-bit _LIST_ENTRY struct, but the 64-bit struct we already saw above.

My question: Is it possible to dump 32-bit struct information in a 64-bit WinDbg, without a remote 32-bit system and without a 32-bit crash dump?

2
debuggingstructwindbg
Why would you need that structure during kernel debugging? I don't think you'll see the 32 bit struct being used by the 64 bit kernel. What's the use case? At the moment it looks to me like an XY problem. What are you really trying to achieve?Thomas Weller
Yes, this could well be an XY problem. My use case: I'm trying to see the difference between structs of the different Windows versions, ranging from Windows XP to the current versions. Perhaps WinDbg isn't the right tool for that.rdvdijk

2 Answers

0
votes

No, there is no way to do what you're trying to do. Kernel mode code on the x64 on Windows is always 64-bit and uses 64-bit structures, so the 32-bit type information is not present.

0
votes

Have you checked this link

This may help!

EDIT : Adding some more detail.

Well I agree with snoone that if you are debugging a 64 bit kernel. The entire address space is in 64 bit. Hence all kernel mode structures will only be 64 bit.

Now, the reason I posted the link above is : that if you want to debug 32 bit apps [i.e. WoW apps] running on a 64 bit machine, then apart from .effmatch x86 tried by you there is another extension you can try. That is : !wow64exts.sw

So wanted to introduce the wow64exts extension, which I found very helpful to remove the clutter when dealing with 32 bit stuff on a 64 bit OS!