Get the stack trace of the process from the DLL that it uses

0

I am working on a VC++2013 project and I am trying to get the stack trace of the calling function from the main process from a DLL attached to it. The attached DLL has _penter and _pexit defined and the main process has /Gh and /GH flags and so calls these functions. But when I try to get the stacktrace it crashes in CaptureStackBackTrace function. I am thinking that since the _penter and _pexit is defined in the DLL its not able to see the main processes stack. All I see is that it enters _penter and _pexit thats all. I dont see any other symbols. I might be wrong. This is the code(I used this code from the an answer from stackoverflow). This is the code to get the name of the function,

process = GetCurrentProcess();
SymInitialize(process, NULL, TRUE);

frames = CaptureStackBackTrace(0, 100, stack, NULL);
symbol = (SYMBOL_INFO *)calloc(sizeof(SYMBOL_INFO) + 256 * sizeof(char), 1);
symbol->MaxNameLen = 255;
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
SymFromAddr(process, (DWORD64)(stack[1]), 0, symbol);

printf("%i: %s - 0x%0X\n", frames - 1 - 1, symbol->Name, symbol->Address);

This crashes in this line frames = CaptureStackBackTrace(0, 100, stack, NULL); after some calls and this is the output,

1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _pexit - 0xEDB718DC
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _pexit - 0xEDB718DC
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890

It crashed here.. and this is the crash:

Unhandled exception at 0x00007FF9F8679D62 (ntdll.dll) in TraceTrack.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

Can somebody help me out in this?

EDIT: This is my asm file, extern entry:Proc extern exitp:Proc PUBLIC _penter PUBLIC _pexit

.code
    PUSHREGS    macro
        push    rax
        push    rcx
        push    rdx
        push    r8
        push    r9
        push    r10
        push    r11
    endm

    POPREGS macro
        pop r11
        pop r10
        pop r9
        pop r8
        pop rdx
        pop rcx
        pop rax
    endm

_penter proc
    push rax
    lahf
    PUSHREGS
    sub rsp, 8+16
    movdqu xmmword ptr[rsp], xmm0
    sub rsp ,8
    sub  rsp,28h 
    mov  rcx,rsp
    mov  rcx,qword ptr[rcx+136]
    call entry
    add  rsp,28h
    add rsp, 8 
    movdqu xmm0, xmmword ptr[rsp]
    add rsp, 8+ 16
    POPREGS
    sahf
    pop rax
    ret
_penter endp

_pexit proc
    push rax
    lahf
    PUSHREGS
    sub rsp, 8+16
    movdqu xmmword ptr[rsp], xmm0
    sub rsp ,8
    sub  rsp,28h 
    mov  rcx,rsp
    mov  rcx,qword ptr[rcx+136]
    call exitp
    add  rsp,28h
    add rsp, 8 
    movdqu xmm0, xmmword ptr[rsp]
    add rsp, 8+ 16
    POPREGS
    sahf
    pop rax
    ret
_pexit endp

end

EDIT2:

Also, I tried printing the 3rd frame in the line SymFromAddr(process, (DWORD64)(stack[3]), 0, symbol); and I find something strange. I find this output,

1:  - 0x0
1:  - 0x0
1: printStackTrace - 0xF0841750
1: printStackTrace - 0xF0841750
1:  - 0x0
1: on_enter - 0xF0841820
1:  - 0x0
1:  - 0x0
1:  - 0x0

The functions are organized as, (Funtion in actual program) -> _penter(exposed in DLL) -> on_enter(exposed in DLL) -> printstackFrame(exposed in DLL)

c++11
assembly
visual-c++
dll
memory-alignment
asked on Stack Overflow Jul 9, 2018 by user9639921 • edited Jul 9, 2018 by user9639921

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0