2

I needed to get the base and top addresses of all the stack frames, for an extension that I am writing for windbg. As an example, here is what I got:

(0) ip= 0x779e5604, ret= 0x779cda0d, frame= 0x23c79c, stack= 0x23c79c
(1) ip= 0x779cda0d, ret= 0x779b19f5, frame= 0x23c7b4, stack= 0x23c7a4
(2) ip= 0x779b19f5, ret= 0x779e665f, frame= 0x23c7d4, stack= 0x23c7bc
(3) ip= 0x779e665f, ret= 0x779aa0aa, frame= 0x23c81c, stack= 0x23c7dc
(4) ip= 0x779aa0aa, ret= 0x779765a6, frame= 0x23c910, stack= 0x23c824
(5) ip= 0x779765a6, ret= 0x7679bbe4, frame= 0x23c930, stack= 0x23c918
(6) ip= 0x7679bbe4, ret= 0x57cd4c39, frame= 0x23c944, stack= 0x23c938
(7) ip= 0x57cd4c39, ret= 0x53c6c74e, frame= 0x23c990, stack= 0x23c94c
(8) ip= 0x53c6c74e, ret= 0x53dc42d7, frame= 0x23d5a4, stack= 0x23c998
(9) ip= 0x53dc42d7, ret= 0x53bc17b0, frame= 0x23d658, stack= 0x23d5ac
(10) ip= 0x53bc17b0, ret= 0x57cf9321, frame= 0x23d85c, stack= 0x23d660
(11) ip= 0x57cf9321, ret= 0x53daf2da, frame= 0x23d9a4, stack= 0x23d864
(12) ip= 0x53daf2da, ret= 0x53d9bce5, frame= 0x23da3c, stack= 0x23d9ac
(13) ip= 0x53d9bce5, ret= 0x53cc427c, frame= 0x23dacc, stack= 0x23da44
(14) ip= 0x53cc427c, ret= 0x53ebd9e1, frame= 0x23db14, stack= 0x23dad4
(15) ip= 0x53ebd9e1, ret= 0x53d8b86f, frame= 0x23db30, stack= 0x23db1c
(16) ip= 0x53d8b86f, ret= 0x53cc439d, frame= 0x23db4c, stack= 0x23db38
(17) ip= 0x53cc439d, ret= 0x53d8b86f, frame= 0x23db94, stack= 0x23db54
(18) ip= 0x53d8b86f, ret= 0x53cc439d, frame= 0x23dbb0, stack= 0x23db9c
(19) ip= 0x53cc439d, ret= 0x53d8e4b6, frame= 0x23dbf8, stack= 0x23dbb8
(20) ip= 0x53d8e4b6, ret= 0x53d8f815, frame= 0x23dc40, stack= 0x23dc00
(21) ip= 0x53d8f815, ret= 0x53cc68f5, frame= 0x23dd00, stack= 0x23dc48
(22) ip= 0x53cc68f5, ret= 0x53ff9c4c, frame= 0x23dd5c, stack= 0x23dd08
(23) ip= 0x53ff9c4c, ret= 0x53cc98e8, frame= 0x23dddc, stack= 0x23dd64
(24) ip= 0x53cc98e8, ret= 0x53e6556e, frame= 0x23de14, stack= 0x23dde4
(25) ip= 0x53e6556e, ret= 0x53ccfe4b, frame= 0x23df50, stack= 0x23de1c
(26) ip= 0x53ccfe4b, ret= 0x0, frame= 0x0, stack= 0x23df58

ESP=0023c79c EBP=0023c79c

Okay, so according to the msdn documentation here, if FrameOffset is zero, current frame pointer should be used, and if StackOffset is zero, current stack pointer should be used:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff548425%28v=vs.85%29.aspx

Now for the first frame, or frame #26 in the above example, it shows the frame offset to be zero, however the current frame offset EBP is 0023c79c, which is referring to the top of the stack, and thus cannot correspond to frame #26's frame offset. So how exactly am I supposed to find the base of the stack frame #26?

Another question, running !teb in windbg gives me the following stack ranges:

StackBase:            00240000
StackLimit:           0022e000

Now, what exactly is in there in the 8360 bytes (240000 - 23df58), between the 26th stack frame pointer and the base of the stack? Is it all comprised of 26th stack frame itself, or is there something else in between there also? (aside for ret and ebp)

user1831704
  • 245
  • 1
  • 10
  • Maybe you want to split your question into two questions, one for each purpose. – Thomas Weller Dec 16 '14 at 13:56
  • On the stack, there are also local variables – Thomas Weller Dec 16 '14 at 13:56
  • Yes, the local variables will be included in the stack frames. The reason I combined the questions was, if region from stack base to the 26th stack pointer solely comprises of the 26th frame + ret + ebp, then my first question would be answered as it is. – user1831704 Dec 16 '14 at 14:14

0 Answers0