问题
Is there a way to switch to user mode of a particular process in a kernel dump while doing postmortem debugging ?
I remember doing this while live debugging using the .process command.
回答1:
.process also works in kernel dumps. First, you can find your process using
!process 0 0 myprocess.exe
and then switch to that process using
.process <address>
where <address> is the hex number after PROCESS.
Note that you are still kernel debugging and you have only the physical memory of that process available (a.k.a. Working Set). The majority of virtual address space is probably swapped to disk and you cannot analyze that process as you would in user mode (especially for .NET programs, where you need the complete .NET heap).
回答2:
As a follow up to Thomas's response, you can use .process /p /r . This will set your usermode context and reload usermode symbols. This will make your subsequent thread commands in this new process context be able to show the usermode side of the stack. You can skip process navigation if you know your target thread by using .thread /p /r .
回答3:
Find ProcessID
!process 0 0 process.exe
Using ProcessID to find ThreadID
!process <ProcessID>Switch to the thread
.thread /p /r <ThreadID>
回答4:
I have an article that talks about the issues around this and the best ways to do it in both live and crash dump debugging scenarios:
http://www.osronline.com/article.cfm?id=576
回答5:
!dml_proc extension provides a convenient way to switch to user mode processes with a menu drawn in DML markup: example.
来源:https://stackoverflow.com/questions/22249728/switching-to-user-stack-in-kernel-dumps