S
sculida
Guest
I got Windows7x64's memory, and then translated the dmp of windbg by volatility's raw2dmp.
I opened the dmp by windbg.
Then I typed the
!wow64exts.sw
the rsp was normal,
16.0: kd> r rsp
Last set context:
rsp=fffff8800817d1c0
But when I dx the address, windbg was quite strange.
16.0: kd> da fffff8800817d1c0
0000:d1c0 "????????????????????????????????"
0000:d1e0 "????????????????????????????????"
0000:d200 "????????????????????????????????"
0000:d220 "????????????????????????????????"
It seemed that windbg deal the address as 16bit number either 64bit number.
I was sure that the stack memory was good because kb could show the frames and retaddr.
Could you help me?
Continue reading...
I opened the dmp by windbg.
Then I typed the
!wow64exts.sw
the rsp was normal,
16.0: kd> r rsp
Last set context:
rsp=fffff8800817d1c0
But when I dx the address, windbg was quite strange.
16.0: kd> da fffff8800817d1c0
0000:d1c0 "????????????????????????????????"
0000:d1e0 "????????????????????????????????"
0000:d200 "????????????????????????????????"
0000:d220 "????????????????????????????????"
It seemed that windbg deal the address as 16bit number either 64bit number.
I was sure that the stack memory was good because kb could show the frames and retaddr.
Could you help me?
Continue reading...