How to find DPC Stack beginning?

My driver sometimes needs to defines current stack begging and receives it via KeGetCurrentThread(). For Win10 it is:

PKTHREAD pCurrentThread = KeGetCurrentThread();
pEnvironmentPointer = (PVOID) * (PUINT64)((PCHAR)pCurrentThread + 0x038);

The problem occurs with DPC. As written kernel always switches to the DPC stack from the current thread stack when handling DPCs.
The stack example may be found here": https://social.msdn.microsoft.com/Forums/en-US/ac41bbe8-39d4-4739-a009-7532d22b2cd4/dpc-stack-size-and-switch?forum=wdk

DpcStack : 0xfffff800`03c31fb0 Void from PCRB
Current thread Stack - Base fffff8800 2261000 Limit fffff880 0225b000

Child-SP RetAddr : Call Site
fffff80003c31fa8 fffff800026d2905 : nt!KiRetireDpcList
fffff80003c31fb0 fffff800026d271c : nt!KxRetireDpcList+0x5 (TrapFrame @ // switch is here!!!
fffff8800225fd80 fffff8000271545c : nt!KiDispatchInterruptContinue
fffff8800225fdb0 fffff8800183627b : nt!KiDpcInterrupt+0xcc (TrapFrame @
fffff8800225ff40 fffff88001835ef5 : tcpip!UdpSendMessages+0x36b
fffff88002260330 fffff800026dbefa : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
fffff88002260360 fffff880018364b8 : nt!KeExpandKernelStackAndCalloutEx+0xda

The problem: on DPC KeGetCurrentThread() reports pointer on base, not DPC stack!?!
Question: How to find DPC Stack begging?

.
Other source is WinDBG which reports inside “analize -v”:

DPC_STACK_BASE: FFFFF8004F60DFB0

Where is this address is? :neutral:

My driver sometimes needs to defines current stack begging

Why? What larger problem are you trying to solve, that you think you need this?

Peter

Peter,
I output (Log) stack in some internal assertion for following analyzing.

Procedure is written independently from IRQ Level.
But I was not aware about stack switching on DPC.
The problem how to find end of interesting stack zone…

Windows has switched stacks in DPCs for a long time… like since Vista. Windows also now (as of Win10 I think) switches stacks for ISRs, by the way.

Have you considered using RtlCaptureStackBackTrace in some way?

There’s also an Rtl routine that walks the stack for debugging… but I can find it (and don’t think it was ever documented in any case).

Peter

Peter,
thanks a lot!

I did not aware about existing this API.
I will check how it works (a bit later), it is seen what I’m needs…

And it’s documented.
Header is inside ntifs.h (way?), but really it is not important.