Stack Tracing kernel to user mode

EDN Admin

EDN Admin

Well-known member
Joined
Aug 7, 2010
Messages
12,794
Location
In the Machine
Hello,

its possible to get a stack trace starting from kernel mode until to the user mode application?

I.e: if I register a Create Process Notify Routine, am I able to get the full stack trace till the application who created a process?

Im trying with RtlCaptureStackBackTrace from my driver, but Im getting strange results.

[0] Stack Trace: F8D4F368
[1] Stack Trace: 000014D4
[2] Stack Trace: B2979FB4
[3] Stack Trace: C6B857C4
[4] Stack Trace: E1B97290
[5] Stack Trace: E1B97294
[6] Stack Trace: E22B0128
[7] Stack Trace: E22B0128
[8] Stack Trace: 8062AA80
[9] Stack Trace: E22B0100
[10] Stack Trace: E1B972C8
[11] Stack Trace: E1FB9A10
[12] Stack Trace: 00000000
[13] Stack Trace: 00000040
[14] Stack Trace: 0000BB40

While the stack trace located inside the kernel memory range is right, I highly doubt that 000014D4, 00000000, 0000BB40, 00000040 are user mode callers. Why Im not getting, for example, ntdll.dll addresses? It should have been called to create a process.

Before tracing the stack, Im attaching to the process who created the process, but Im still going nowhere.

Could anyone help me?

Thank you.

Kind regards,

John




View the full article
 

Similar threads

C
PC BSOD Everyday, KERNEL_SECURITY_CHECK_FAILURE
Replies
0
Views
98
CainFamily
C
D
SMTP Mail Error->"Unable to connect to the remote server
Replies
0
Views
112
drdexter33
D
P
Error connecting to SignalR from Android Xamarin
Replies
0
Views
185
PabloMarzullo
P
V
About exceptions and capturing them with dumps
Replies
0
Views
273
Viorel-Alexandru
V
N
Kernel-mode and user-mode caching
Replies
0
Views
291
Nedim
N
Back
Top