I was wondering if there's a function available from a Windows kernel driver that can unwind the stack to get (nested) function addresses that called the current function?
This stuff:
Asked
Active
Viewed 2,160 times
0
-
2[`RtlWalkFrameChain`](https://processhacker.sourceforge.io/doc/ntfill_8h_source.html#l00341) – RbMm Jul 01 '18 at 11:24
-
@RbMm: It's not known at which IRQL it should be called, is it? – MikeF Jul 01 '18 at 18:51
-
Have a look at [CaptureStackBackTrace](https://msdn.microsoft.com/en-us/library/windows/desktop/bb204633(v=vs.85).aspx) for details. And then see an example given in this [answer](https://stackoverflow.com/a/50208684/466932). Possibly a duplicate? – Unmanned Player Jul 02 '18 at 00:28
-
@UnmannedPlayer: I'm doing this from a kernel mode. Although [`RtlCaptureStackBackTrace`](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-rtlcapturestackbacktrace) seems to be the function to use. It is basically a wrapper for `RtlWalkFrameChain` that it calls repeatedly a requested number of counts. – MikeF Jul 02 '18 at 03:59
-
@RbMm: There's one issue though with what you said about IRQL. If we follow documentation for `RtlCaptureStackBackTrace` it is `<= DISPATCH_LEVEL`, which as I said above, is the same as calling `RtlWalkFrameChain` without `RTL_WALK_USER_MODE_STACK (1)` flag. What makes you think that it can be called at any IRQL? I stepped into it and there's a lot of other function calls inside. It "walks" through various memory sections and loaded system images. There's no way all of them are loaded in a non-paged memory. There are also some locks that are being set up in some functions. – MikeF Jul 02 '18 at 04:04
-
@RbMm: Also one addition to `RtlWalkFrameChain` function's unofficial documentation that you linked to. The 3rd `Flags` parameter that it takes, besides taking the `RTL_WALK_USER_MODE_STACK (1)` flag, can also accept `FramesToSkip` integer shifted to the left 8 bits, OR'ed to it. (Learned it from reversing `RtlCaptureStackBackTrace`.) – MikeF Jul 02 '18 at 04:09
-
i mistake about irql (`<= DISPATCH_LEVEL` must be) but this api declared in `ntddk.h` – RbMm Jul 02 '18 at 11:12