0

I was wondering if there's a function available from a Windows kernel driver that can unwind the stack to get (nested) function addresses that called the current function?

This stuff:

enter image description here

7
  • 2
    RtlWalkFrameChain
    – RbMm
    Commented Jul 1, 2018 at 11:24
  • @RbMm: It's not known at which IRQL it should be called, is it?
    – MikeF
    Commented Jul 1, 2018 at 18:51
  • Have a look at CaptureStackBackTrace for details. And then see an example given in this answer. Possibly a duplicate?
    – Unmanned Player
    Commented Jul 2, 2018 at 0:28
  • @UnmannedPlayer: I'm doing this from a kernel mode. Although RtlCaptureStackBackTrace seems to be the function to use. It is basically a wrapper for RtlWalkFrameChain that it calls repeatedly a requested number of counts.
    – MikeF
    Commented Jul 2, 2018 at 3:59
  • @RbMm: There's one issue though with what you said about IRQL. If we follow documentation for RtlCaptureStackBackTrace it is <= DISPATCH_LEVEL, which as I said above, is the same as calling RtlWalkFrameChain without RTL_WALK_USER_MODE_STACK (1) flag. What makes you think that it can be called at any IRQL? I stepped into it and there's a lot of other function calls inside. It "walks" through various memory sections and loaded system images. There's no way all of them are loaded in a non-paged memory. There are also some locks that are being set up in some functions.
    – MikeF
    Commented Jul 2, 2018 at 4:04
Related questions
2
Is it possible to kill a C++ application on Windows XP without unwinding the call stack?
272
What is stack unwinding?
4
Is there any method that causes whole stack frame unwinding in C++? (except using exception)
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.