Menu
I was trying to walk through the call stack frames and extract some information from them. I am able to extract the file names, line numbers, and function names by using StackWalk64 , SymGetSymFromAddr64, and SymGetLineFromAddr64 APIs from WinDBG.
However, the DWORD64 Params[4] in STACKFRAME64, which is a return value from StackWalk64, only supports reading back four 64 bits function parameters from a frame. Even worse, on 32-bit system, only the lower 32 bits of Params[4] are used, so a single parameter with more than 32 bits needs two or more elements.
typedef struct _tagSTACKFRAME64 {
ADDRESS64 AddrPC;
ADDRESS64 AddrReturn;
ADDRESS64 AddrFrame;
ADDRESS64 AddrStack;
ADDRESS64 AddrBStore;
PVOID FuncTableEntry;
DWORD64 Params[4];
BOOL Far;
BOOL Virtual;
DWORD64 Reserved[3];
KDHELP64 KdHelp;
} STACKFRAME64, *LPSTACKFRAME64;
I couldn't find any API to read ALL the parameters from a stack frame without limitation.
I was thinking to use ebp/rbp to extract the values from the stack (x86/x64) and the registers (x64). But still, only the "possible" values of the parameters can be obtained if I do this.
Is there any API I could use to get the accurate values? It would be even better if I can get the type and name of the parameters.
915
Call stack is set of lines, which is usually read from top to bottom - meaning moving from current locations to callers. The bottom line was executed first. The top line is executed last and it is the current routine.
The input parameters are considered part of the current stack frame. In a sense, each output argument belongs to both the caller's and the callee's stack frames. In either case, the stack frame size is best defined as the difference between the caller's stack pointer and the callee's.
Stack frame is the packed information related to a function call. This information generally includes arguments passed to th function, local variables and where to return upon terminating. Activation record is another name for a stack frame.
The call stack is divided up into contiguous pieces called stack frames, or frames for short; each frame is the data associated with one call to one function. The frame contains the arguments given to the function, the function's local variables, and the address at which the function is executing.
There is no API for it. Why should there be any, modern OSes are not interested in some folks playing with this stuff. As said earlier, the compiler is free to make optimizations so you can't have any deterministic tool to do it. But, there are heuristics! You can know how much parameters are in function if you parse assembly before the call or ret after the call, you always have return address which you can check if it is in CS.
Above all - you should read about term 'stack unwinding'.
195
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
