![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to walk.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [WindowsNT SDKs] / mstools / samples / sdktools / image / drwatson / i386|
Return to walk.c CVS log | Up to [WindowsNT SDKs] / mstools / samples / sdktools / image / drwatson / i386 |
1.1 root 1: /*++
2:
3: Copyright (c) 1993 Microsoft Corporation
4:
5: Module Name:
6:
7: walk.c
8:
9: Abstract:
10:
11: This file provides support for stack walking.
12:
13: Author:
14:
15: Wesley Witt (wesw) 1-May-1993
16:
17: Environment:
18:
19: User Mode
20:
21: --*/
22:
23: #include <windows.h>
24: #include <stdlib.h>
25: #include <stdio.h>
26: #include <string.h>
27:
28: #include "drwatson.h"
29: #include "proto.h"
30:
31: // prototypes
32:
33: static BOOL ValidateReturnAddress ( DWORD dwRetAddr, PDEBUGPACKET dp );
34: static DWORD GetReturnAddress (DWORD *pdwStackAddr, PDEBUGPACKET dp);
35: static PFPO_DATA FindFpoDataForModule( DWORD dwPCAddr, PDEBUGPACKET dp );
36: static PFPO_DATA SearchFpoData( DWORD key, PFPO_DATA base, DWORD num );
37: static BOOL SetNonFpoFrameAddress( PSTACKWALK pstk, PDEBUGPACKET dp );
38:
39:
40:
41: BOOL
42: SetNonFpoFrameAddress( PSTACKWALK pstk, PDEBUGPACKET dp )
43: {
44: DWORD stack[4];
45: DWORD dwRetAddr;
46: DWORD dwStackAddr;
47: PFPO_DATA pFpoData;
48: int cb;
49:
50:
51: // read the first 2 dwords off the stack
52: if (!ReadProcessMemory( dp->hProcess,
53: (LPVOID)pstk->frame,
54: (LPVOID)stack,
55: 8,
56: (LPDWORD)&cb )) {
57: return FALSE;
58: }
59:
60: // a previous function in the call stack was a fpo function that used ebp as
61: // a general purpose register. ul contains the ebp value that was good before
62: // that function executed. it is that ebp that we want, not what was just read
63: // from the stack. what was just read from the stack is totally bogus.
64: if (pstk->ul > 0) {
65: stack[0] = pstk->ul;
66: pstk->ul = 0;
67: }
68: pFpoData = FindFpoDataForModule(stack[1], dp);
69: pstk->pFpoData = pFpoData;
70: if (pFpoData) {
71: //--------------------------------------------
72: // this is the code for NON-FPO -> FPO frames
73: //--------------------------------------------
74: pstk->ul = stack[0];
75: pstk->frame += (pFpoData->cdwLocals * 4) + 8;
76: if (pFpoData->cbFrame == FRAME_FPO) {
77: pstk->frame += (pFpoData->cbRegs * 4);
78: }
79: // this necessary because we need to account for any parameters that
80: // were passed to the non-fpo function
81: if (pFpoData->cbFrame == FRAME_FPO) {
82: if (!ReadProcessMemory( dp->hProcess,
83: (LPVOID)pstk->frame,
84: (LPVOID)&stack[2],
85: 8,
86: (LPDWORD)&cb )) {
87: return FALSE;
88: }
89: if (!ValidateReturnAddress(stack[2], dp)) {
90: dwStackAddr = pstk->frame;
91: dwRetAddr = GetReturnAddress(&dwStackAddr, dp);
92: if (dwRetAddr == 0) {
93: return FALSE;
94: }
95: pstk->frame = dwStackAddr - 4;
96: }
97: else {
98: pstk->frame -= 4;
99: }
100: }
101: }
102: else {
103: //------------------------------------------------
104: // this is the code for NON-FPO -> NON-FPO frames
105: //------------------------------------------------
106: pstk->pFpoData = 0;
107:
108: // dwSaveBP will be -1 when the first frame is being processed and the frame
109: // has not been setup (ie EBP has not been pushed).
110: if (pstk->ul < 0) {
111: pstk->frame = dp->tctx->frame;
112: pstk->ul = 0;
113: }
114: else {
115: pstk->frame = stack[0];
116: }
117: }
118:
119: // set the program counter to the return address
120: pstk->pc = stack[1];
121: return TRUE;
122: }
123:
124:
125: BOOL
126: StackWalkNext( PSTACKWALK pstk, PDEBUGPACKET dp )
127: {
128: DWORD dwRetAddr;
129: DWORD dwStackAddr;
130: DWORD dwTemp;
131: DWORD stack[2];
132: PFPO_DATA pCpcFpoData;
133: PFPO_DATA pRetFpoData;
134: int cb;
135:
136:
137: // check to see if the current frame is an fpo frame
138: pCpcFpoData = FindFpoDataForModule(pstk->pc, dp);
139: if (pCpcFpoData) {
140: if (!ReadProcessMemory( dp->hProcess,
141: (LPVOID)pstk->frame,
142: (LPVOID)stack,
143: 8,
144: (LPDWORD)&cb )) {
145: return FALSE;
146: }
147: dwRetAddr = stack[1];
148: // is EBP used as a general purpose register in the function?
149: if (pCpcFpoData->fUseBP == 1) {
150: // backup and get the ebp register off the stack
151: pstk->frame -= (pCpcFpoData->cdwLocals * 4) -
152: ((pCpcFpoData->cbRegs - 1) * 4);
153: if (!ReadProcessMemory( dp->hProcess,
154: (LPVOID)pstk->frame,
155: (LPVOID)&pstk->ul,
156: 4,
157: (LPDWORD)&cb )) {
158: return FALSE;
159: }
160: pstk->frame += (pCpcFpoData->cdwLocals * 4) -
161: ((pCpcFpoData->cbRegs - 1) * 4);
162: }
163: // account for parameters and the current frame
164: pstk->frame += (pCpcFpoData->cdwParams * 4) + 8;
165: // check to see if the next frame is an fpo frame
166: pRetFpoData = FindFpoDataForModule(dwRetAddr, dp);
167: if (pRetFpoData) {
168: //-----------------------------------------
169: // this is the code for FPO -> FPO frames
170: //-----------------------------------------
171: pstk->frame += (pRetFpoData->cdwLocals * 4);
172: pstk->pFpoData = pRetFpoData;
173: if (pRetFpoData->cbFrame == FRAME_FPO) {
174: pstk->frame += (pRetFpoData->cbRegs * 4);
175: // this necessary because of registers that may have been saved
176: // that we don't know about
177: dwStackAddr = pstk->frame;
178: dwTemp = GetReturnAddress(&dwStackAddr, dp);
179: if (dwTemp == 0) {
180: return FALSE;
181: }
182: pstk->frame = dwStackAddr - 4;
183: }
184: }
185: else {
186: //--------------------------------------------
187: // this is the code for FPO -> NON-FPO frames
188: //--------------------------------------------
189: pstk->pFpoData = 0;
190: if (pCpcFpoData->fUseBP == 1) {
191: pstk->frame = pstk->ul;
192: pstk->ul = 0;
193: }
194: else
195: if (pstk->ul != 0) {
196: pstk->frame = pstk->ul;
197: pstk->ul = 0;
198: }
199: }
200: pstk->pc = dwRetAddr;
201: }
202: else {
203: if (!SetNonFpoFrameAddress( pstk, dp )) {
204: return FALSE;
205: }
206: }
207:
208: // this is what should normally stop the stack walk
209: if (!ValidateReturnAddress(pstk->pc, dp)) {
210: return FALSE;
211: }
212:
213: if (!ReadProcessMemory( dp->hProcess,
214: (LPVOID)(pstk->frame+8),
215: (LPVOID)pstk->params,
216: 16,
217: (LPDWORD)&cb )) {
218: return FALSE;
219: }
220:
221: return TRUE;
222: }
223:
224:
225: BOOL
226: StackWalkInit( PSTACKWALK pstk, PDEBUGPACKET dp )
227: {
228: UCHAR code[3];
229: PFPO_DATA pFpoData;
230: int cb;
231: PMODULEINFO mi;
232:
233:
234: pstk->pc = dp->tctx->pc;
235:
236: pFpoData = FindFpoDataForModule(pstk->pc, dp);
237: pstk->pFpoData = pFpoData;
238: if (pFpoData) {
239: pstk->frame = dp->tctx->stack;
240: mi = GetModuleForPC( dp, dp->tctx->pc );
241: if (mi == NULL) {
242: return FALSE;
243: }
244: if (dp->tctx->pc == mi->dwLoadAddress+pFpoData->ulOffStart) {
245: // first byte of code
246: pstk->frame -= 4;
247: pstk->ul = dp->tctx->frame;
248: }
249: else {
250: // somewhere in the body
251: pstk->frame += (pFpoData->cdwLocals * 4);
252: if (pFpoData->cbRegs != 7) {
253: pstk->frame += (pFpoData->cbRegs * 4);
254: }
255: pstk->frame -= 4;
256: if (pFpoData->fUseBP == 1) {
257: // the last item pushed onto the stack was EBP
258: if (!ReadProcessMemory( dp->hProcess,
259: (LPVOID)pstk->frame,
260: (LPVOID)&pstk->ul,
261: 4,
262: (LPDWORD)&cb )) {
263: return FALSE;
264: }
265: }
266: else {
267: pstk->ul = dp->tctx->frame;
268: }
269: }
270: }
271: else {
272: pstk->ul = 0;
273: if (!ReadProcessMemory( dp->hProcess,
274: (LPVOID)pstk->pc,
275: (LPVOID)code,
276: 3,
277: (LPDWORD)&cb )) {
278: return FALSE;
279: }
280: if ((code[0] == 0x55) || (code[0] == 0x8b && code[1] == 0xec)) {
281: pstk->frame = dp->tctx->stack;
282: if (code[0] == 0x55) {
283: pstk->frame -= 4;
284: pstk->ul = -1;
285: }
286: }
287: else {
288: pstk->frame = dp->tctx->frame;
289: }
290: }
291:
292: if (!ReadProcessMemory( dp->hProcess,
293: (LPVOID)(pstk->frame+8),
294: (LPVOID)pstk->params,
295: 16,
296: (LPDWORD)&cb )) {
297: return FALSE;
298: }
299:
300: return TRUE;
301: }
302:
303: PFPO_DATA
304: SearchFpoData( DWORD key, PFPO_DATA base, DWORD num )
305: {
306: PFPO_DATA lo = base;
307: PFPO_DATA hi = base + (num - 1);
308: PFPO_DATA mid;
309: DWORD half;
310:
311: while (lo <= hi) {
312: if (half = num / 2) {
313: mid = lo + (num & 1 ? half : (half - 1));
314: if ((key >= mid->ulOffStart)&&(key < (mid->ulOffStart+mid->cbProcSize))) {
315: return mid;
316: }
317: if (key < mid->ulOffStart) {
318: hi = mid - 1;
319: num = num & 1 ? half : half-1;
320: }
321: else {
322: lo = mid + 1;
323: num = half;
324: }
325: }
326: else
327: if (num) {
328: if ((key >= lo->ulOffStart)&&(key < (lo->ulOffStart+lo->cbProcSize))) {
329: return lo;
330: }
331: else {
332: break;
333: }
334: }
335: else {
336: break;
337: }
338: }
339: return(NULL);
340: }
341:
342: PFPO_DATA
343: FindFpoDataForModule( DWORD dwPCAddr, PDEBUGPACKET dp )
344: {
345: PMODULEINFO mi;
346: PFPO_DATA pFpoData;
347:
348: mi = GetModuleForPC( dp, dwPCAddr );
349:
350: /*
351: * If the address was not found in any dll then return FALSE
352: */
353:
354: if (mi == NULL) {
355: return FALSE;
356: }
357:
358: if (!mi->pFpoData) {
359: return FALSE;
360: }
361:
362: /*
363: * Search for the PC in the fpo data
364: */
365: dwPCAddr -= mi->dwLoadAddress;
366: pFpoData = SearchFpoData( dwPCAddr, mi->pFpoData, mi->dwEntries );
367: return pFpoData;
368: }
369:
370: DWORD
371: GetReturnAddress (DWORD *pdwStackAddr, PDEBUGPACKET dp )
372: {
373: DWORD stack[64];
374: DWORD i, sw;
375:
376: sw = 64*4;
377: if(!ReadProcessMemory(dp->hProcess, (LPVOID)*pdwStackAddr, (LPVOID)stack, sw, &sw)) {
378: sw = 0xFFF - (*pdwStackAddr & 0xFFF);
379: if(!ReadProcessMemory(dp->hProcess, (LPVOID)*pdwStackAddr, (LPVOID)stack, sw, &sw)) {
380: return 0;
381: }
382: }
383: // scan thru the stack looking for a return address
384: for (i=0; i<sw/4; i++) {
385: if (ValidateReturnAddress(stack[i], dp)) {
386: *pdwStackAddr += (i * 4);
387: return stack[i];
388: }
389: }
390: return 0;
391: }
392:
393: BOOL
394: ValidateReturnAddress ( DWORD dwRetAddr, PDEBUGPACKET dp )
395: {
396: PMODULEINFO mi;
397:
398: mi = GetModuleForPC( dp, dwRetAddr );
399:
400: if (mi == NULL) {
401: return FALSE;
402: }
403:
404: return TRUE;
405: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.