HyperDbg Debugger
Loading...
Searching...
No Matches
Callstack.h File Reference

Kernel headers for callstacks. More...

Go to the source code of this file.

Functions

BOOLEAN CallstackWalkthroughStack (PDEBUGGER_SINGLE_CALLSTACK_FRAME AddressToSaveFrames, UINT32 *FrameCount, UINT64 StackBaseAddress, UINT32 Size, BOOLEAN Is32Bit)
 Walkthrough the stack.

Detailed Description

Kernel headers for callstacks.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2022-03-05

Function Documentation

◆ CallstackWalkthroughStack()

BOOLEAN CallstackWalkthroughStack ( PDEBUGGER_SINGLE_CALLSTACK_FRAME AddressToSaveFrames,
UINT32 * FrameCount,
UINT64 StackBaseAddress,
UINT32 Size,
BOOLEAN Is32Bit )

Walkthrough the stack.

Parameters
AddressToSaveFrames
FrameCount
StackBaseAddress
Size
Is32Bit
Returns
BOOLEAN
31{
32 UINT32 FrameIndex = 0;
33 UINT16 AddressMode = 0;
34 UINT64 Value = (UINT64)NULL;
35 UINT64 CurrentStackAddress = (UINT64)NULL;
36
37 if (Size == 0)
38 {
39 return FALSE;
40 }
41
42 if (Is32Bit)
43 {
44 //
45 // 32-bit interpretation
46 //
47 AddressMode = sizeof(UINT32);
48 FrameIndex = Size / AddressMode;
49 }
50 else
51 {
52 //
53 // 64-bit interpretation
54 //
55 AddressMode = sizeof(UINT64);
56 FrameIndex = Size / AddressMode;
57 }
58
59 //
60 // Walkthrough the stack
61 //
62 for (SIZE_T i = 0; i < FrameIndex; i++)
63 {
64 //
65 // Compute the current stack position address
66 //
67 CurrentStackAddress = StackBaseAddress + (i * AddressMode);
68 *FrameCount = FrameIndex;
69
70 if (!CheckAccessValidityAndSafety(CurrentStackAddress, AddressMode))
71 {
72 AddressToSaveFrames[i].IsStackAddressValid = FALSE;
73
74 //
75 // Stack is no longer valid or available to access from here
76 //
77 if (FrameIndex == 0)
78 {
79 //
80 // Stack is invalid
81 //
82 return FALSE;
83 }
84 else
85 {
86 //
87 // Stack is invalid, but there are frames that are still valid
88 //
89 return TRUE;
90 }
91 }
92
93 //
94 // Stack address is valid
95 //
96 AddressToSaveFrames[i].IsStackAddressValid = TRUE;
97
98 //
99 // Read the 4 or 8 byte from the target stack
100 //
101 MemoryMapperReadMemorySafeOnTargetProcess(CurrentStackAddress, &Value, AddressMode);
102
103 //
104 // Set the value
105 //
106 AddressToSaveFrames[i].Value = Value;
107
108 //
109 // This implementation has a problem, if the target jump is between two page were the second
110 // page is not available, it fails to set it as the valid address,
111 // We should check it for this page attribute (check boundary) but for now, i'm lazy enough
112 // to let it unimplemented
113 //
114 // Check if value is a valid address
115 //
117 {
118 //
119 // It's a valid address
120 //
121 AddressToSaveFrames[i].IsValidAddress = TRUE;
122
123 //
124 // Check if the target page has NX bit (executable page)
125 //
127
128 //
129 // Read the memory at the target address
130 //
132 AddressToSaveFrames[i].InstructionBytesOnRip,
134 }
135 }
136
137 //
138 // Stack walk is finished
139 //
140 return TRUE;
141}
unsigned short UINT16
Definition BasicTypes.h:53
void * PVOID
Definition BasicTypes.h:56
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
#define MAXIMUM_CALL_INSTR_SIZE
maximum size for call instruction in Intel
Definition Constants.h:475
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckIfPageIsNxBitSetOnTargetProcess(_In_ PVOID Va)
IMPORT_EXPORT_VMM BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:318
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(_In_ UINT64 VaAddressToRead, _Inout_ PVOID BufferToSaveMemory, _In_ SIZE_T SizeToRead)
RequestedActionOfThePacket Value(0x1) 00000000
BOOLEAN IsExecutable
Definition RequestStructures.h:818
BOOLEAN IsStackAddressValid
Definition RequestStructures.h:816
UINT64 Value
Definition RequestStructures.h:819
BOOLEAN IsValidAddress
Definition RequestStructures.h:817