How to stack walk on 64bit OS

PD_Chen · October 24, 2006, 7:28pm

Hi,
I found the 64bit OS doesn’t use EBP (RBP) to trace the stack frame. Does everbody know how to stack-walking code to find every return address on 64bit OS?

For example, after call LookupProcItem, then:
wps!LookupProcItem:
fffff9800f615390 894c2408 mov [rsp+0x8],ecx ss:0018:fffff9800d118860=ff480000
fffff9800f615394 4883ec18 sub rsp,0x18 fffff9800f615398 c7042400000000 mov dword ptr [rsp],0x0
fffff9800f61539f eb09 jmp wpsdrvnt!LookupProcItem+0x1a (fffff9800f6153aa) fffff9800f6153a1 8b0424 mov eax,[rsp]
fffff9800f6153a4 83c001 add eax,0x1 fffff9800f6153a7 890424 mov [rsp],eax
fffff9800f6153aa 488b054f5f0000 mov rax,[wpsdrvnt!nmmap+0x40 (fffff9800f61b300)] fffff9800f6153b1 8b00 mov eax,[rax]

The return address is in stack, but rsp is added some value.

Thanks.

Loren_Wilton · October 24, 2006, 10:58pm

There may be an easier way, but I think what you have to do is determine the current code address inside the procedure you are backtracking into, then find the unwind tables somewhere in the code segment for that procedure, then locate your current location in the unwind table, then extract the necessary offset information from the unwind table.

Somewhere in the msdn site there is a paper that describes the 64-bit x64 ABI and describes how the unwind tables are used for exception handling and the like. Walking the stack would be about the same thing, at a guess.

Loren

-----Original Message-----

From: xxxxx@hotmail.com
Sent: Oct 24, 2006 4:29 PM
To: Windows System Software Devs Interest List
>Subject: [ntdev] How to stack walk on 64bit OS
>
>Hi,
>I found the 64bit OS doesn’t use EBP (RBP) to trace the stack frame. Does everbody know how to stack-walking code to find every return address on 64bit OS?
>
>For example, after call LookupProcItem, then:
>wps!LookupProcItem:
>fffff9800f615390 894c2408 mov [rsp+0x8],ecx ss:0018:fffff9800d118860=ff480000
>fffff9800f615394 4883ec18 sub rsp,0x18<br>>fffff9800f615398 c7042400000000 mov dword ptr [rsp],0x0
>fffff9800f61539f eb09 jmp wpsdrvnt!LookupProcItem+0x1a (fffff9800f6153aa)<br>>fffff9800f6153a1 8b0424 mov eax,[rsp]
>fffff9800f6153a4 83c001 add eax,0x1<br>>fffff9800f6153a7 890424 mov [rsp],eax
>fffff9800f6153aa 488b054f5f0000 mov rax,[wpsdrvnt!nmmap+0x40 (fffff9800f61b300)]<br>>fffff9800f6153b1 8b00 mov eax,[rax]
>
>The return address is in stack, but rsp is added some value.
>
>Thanks.
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer