手逆RtlpWalkFrameChain
只是一部分,因此不分析了ULONG
RtlpWalkFrameChain (
OUT PVOID *Callers,
IN ULONG Count,
IN ULONG Flags,
)
ULONG LowLimit;
ULONG HightLimit;
ULONG* ebp;
int i;
PETHREAD thread;
PKTRAP_FRAME frame;
PTEB teb;
if(!Flags)
{
ebp=EBP
if(!RtlpCaptureStackLimits(&LowLimit,&HighLimit))
return 0;
}
if(Flags == 1)
{
thread=PsGetCurrentThread();
frame=thread->TrapFrame
teb=thread->Teb;
if(!teb || frame < MmSystemRangeStart || frame <= thread.StackLimit || thread->ApcStateIndex == 1)
return 0;
if(KeGetCurrentIrql()?=2)
return 0;
LowLimit = teb->NtTib.StackLimit;
HightLimit = teb->NtTib.StackBase;
ebp=teb->ebp;
if(LowLimit>=HightLimit)
return 0;
if(HightLimit<=MmUserProbeAddress (805599d4))
....
}
for(i=0;i<Count;i++)
{
if(ebp>=HightLimit)
break;
............
ULONG nextebp=;
Callers=;
ebp=nextebp;
}
可以可以!!
页:
[1]