To begin with, this is not a general question about how to do heap analysis, as I am well acquainted with earlier versions of Windows.
However, I am wondering if anyone can perform a heap analysis of a 32-bit application running through the WOW64 layer on 64-bit Windows 8, Windows 8, the keyword is here?
Starting Windows 7 and debugging tools for Windows I just applied user tags and heaps using gflags and then used the x86 version of WinDbg to join the process to get only a 32-bit context (like me, m is usually not interested in the WOW64 layer itself) . Heap information is displayed perfectly.
On Windows 8, following the same procedure, adding gflags and starting my process, memory usage after startup increases from 40 to 140 MB, indicating that gflags was pressed.
However, no matter how I try, neither WinDbg nor umdh can get any information about the heap. Neither the old method using the x86 version, nor the method described in the documentation, when working through WOW64 by running the x64 version and switching the .effmach file to a 32-bit context.
In addition, I tried this using both the debugging tools of Windows 7 and Windows 8 for Windows, so the same tools that give me good results in Windows 7 do not behave the same in Windows 8.
My last assumption is that the changes in how Windows 8 manages the heap (which I saw several articles about the Internet) probably were not completely updated / reflected in the debugging tools for Windows. I would suggest that (the scenarios of my own use include only 32-bit processes in the WOW64 context, so I don’t know for sure) that heap analysis for applications when the WOW64 level between them does not work is supposed, but that WOW64 is currently is blocking here.
I really want to know that I'm doing something wrong, or if there are problems with current tools. I am currently back at work on Windows 7 in a virtual machine to do memory analysis.
So, did anyone succeed in doing a heap analysis of a win32 application under WOW64 in Windows 8, and if so, how?