My driver sometimes needs to defines current stack begging and receives it via KeGetCurrentThread(). For Win10 it is:
PKTHREAD pCurrentThread = KeGetCurrentThread();
pEnvironmentPointer = (PVOID) * (PUINT64)((PCHAR)pCurrentThread + 0x038);
The problem occurs with DPC. As written kernel always switches to the DPC stack from the current thread stack when handling DPCs.
The stack example may be found here": https://social.msdn.microsoft.com/Forums/en-US/ac41bbe8-39d4-4739-a009-7532d22b2cd4/dpc-stack-size-and-switch?forum=wdk
DpcStack : 0xfffff800`03c31fb0 Void from PCRB
Current thread Stack - Base fffff8800 2261000 Limit fffff880 0225b000Child-SP RetAddr : Call Site
fffff80003c31fa8 fffff800
026d2905 : nt!KiRetireDpcList
fffff80003c31fb0 fffff800
026d271c : nt!KxRetireDpcList+0x5 (TrapFrame @ // switch is here!!!
fffff8800225fd80 fffff800
0271545c : nt!KiDispatchInterruptContinue
fffff8800225fdb0 fffff880
0183627b : nt!KiDpcInterrupt+0xcc (TrapFrame @
fffff8800225ff40 fffff880
01835ef5 : tcpip!UdpSendMessages+0x36b
fffff88002260330 fffff800
026dbefa : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
fffff88002260360 fffff880
018364b8 : nt!KeExpandKernelStackAndCalloutEx+0xda
The problem: on DPC KeGetCurrentThread() reports pointer on base, not DPC stack!?!
Question: How to find DPC Stack begging?
.
Other source is WinDBG which reports inside “analize -v”:
DPC_STACK_BASE: FFFFF8004F60DFB0
Where is this address is? :neutral: