Menu
I'm investigating a Windows dump file in WinDBG. I can switch the call stack frame by command .frame, but I found that the registers always contain the last context. I mean, if it is possible to restore the context which belongs to a specific call stack frame that is not the top one?
889
If you're debugging an x64 target, you can use:
.frame /r
To view the registers in the frame. This information is based on the unwind data in the image, so it's pretty reliable. You can also change the context with:
.frame /c
On the x86, there's no unwind information so this trick doesn't work. .frame will still show you something for the registers, but it's not as likely to be correct (it will basically only be correct by luck).
160
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
