Login/Register
Windows 8: Doing heap analysis on 32 bit application running through WOW64
Asked Answered
windowswindows-8heap-memorywindbgwow64
S

1

8

To start with, this is not a general question about how to do heap analysis, as this I'm quite familiar with in earlier versions of Windows.

What I'm wondering however is if anyone has managed to perform heap analysis of a 32 bit application running through the WOW64 layer on 64 bit Windows 8, Windows 8 being the key word here?

Running Windows 7 and Debugging Tools for Windows I've simply applied the user stack and heap tagging using gflags, and then used the x86 version of WinDbg to attach to the process, to only get the 32 bit context (as I'm normally not interested in the WOW64 layer itself). Heap information shows up perfectly.

On Windows 8, doing the same procedure, adding the gflags and starting my process the memory usage after startup increases from 40 to 140MB, indicating that the gflags has kicked in.

However, no matter how I try to neither WinDbg or umdh manages to fetch any heap information. Neither the old way using the x86 version, or the way described in the documentation, when running through WOW64, by running the x64 version and switching .effmach to the 32 bit context.

In addition I've tried this using both the Windows 7 and Windows 8 versions of Debugging Tools for Windows, so the same tools that give me good results on Windows 7 does not behave the same on Windows 8.

My current guess is that the changes in how Windows 8 manages the heap (which I've seen a few articles about round the internet) has probably not been updated/reflected in the Debugging Tools for Windows entirely. I would assume (my own use scenarios only involve 32 bits processes in a WOW64 context so I do not know for certain) that heap analysis for applications when not having the WOW64 layer in between works as intended, but that the WOW64 currently is the blocker here.

I'm eager to find out if I'm doing something wrong, or if there's issues with the current tools. I've currently fallen back to running Windows 7 in a VM to do my memory analysis.

So, has anyone had any success with doing heap analysis of a win32 application under WOW64 in Windows 8, and if so how?

Swats answered 29/1, 2013 at 9:19 Comment(7)
Have you updated to the version 8 SDK to get the latest versions of these tools?Benelux
Yes, I'm using the Debugging Tools for Windows included with the Windows Driver Kit 8, to enable the Visual Studio integration. So, it is the latest available, and also a version explicitly stated that it is for Windows 8. Also gave it a try with the older Windows 7 version, by getting the redistributable after installing it on my VM, with the same results.Swats
I have a win8 wow64 process dump and !heap -s says "No heaps to display". I thought the dump was corrupted somehow but your post makes me think again :-(Teacher
Exactly same pattern as I get when running with the x86 WinDbg, which works just fine in Windows 7.Swats
See zachsaw.blogspot.com.au/2010/11/…Jolynnjon
@RohitSharma Although it's a bug encountered while under WOW64 I fail to see the relevance it has to this case?Swats
@Swats same issue here, running on Win7 works but not on Win8Shallot
B
1

Have you tried the EGGHUNTER tool? There is also a Intel Parallel Studio XE 2013 trial Version that has got lot of tools to work with.It gets attached to your IDE VS 2010 or 2012 and then you can just test run your application.The general features

Intel® Parallel Studio XE includes the next-generation software

development tools:  Intel® C, C++ and Fortran Compilers –

Industry-Leading Compilers  Intel® MKL and Intel® IPP – Performance Libraries  Intel® Threading Building Blocks and Intel® Cilk™ Plus – Parallel Programming Models  Intel® Advisor XE – Threading Assistant  Intel® VTune™ Amplifier XE – Performance & Thread Profiler  Intel® Inspector XE – Memory and Thread Checker  Static Analysis – Locate Difficult to find Defects

I guess it will help you.Thanks

Bibelot answered 19/2, 2013 at 6:11 Comment(2)
I see that the egghunter tool might be useful in some contexts of memory poking, but I'm not sure how it really relates to the heap meta data on Windows 8? The main problem as I can see it is not an issue of accessing/reading memory, but that the heap meta data which still seems to be generated (indicated by the large bump in memory usage after changing the global flags) no longer is possible to read.Swats
The Intel tool might be of a bit of help though. What I'm unsure about is if the analysis tools would work if not using the compilers included in the package, do you know? This would however only be a short term workaround, especially since I don't believe that we're on the verge of doing the jump to Intel's compilers. Thanks for the good links though! Both are good references and ideas for workarounds, even though I don't see that they solve the main issue...Swats

© 2022 - 2024 — McMap. All rights reserved.