进程注入检测 —— RtlCaptureStackBackTrace 获取当前函数的调用栈函数
https://stackoverflow.com/questions/590160/how-to-log-stack-frames-with-windows-x64
https://cpp.hotexamples.com/examples/-/-/RtlCaptureStackBackTrace/cpp-rtlcapturestackbacktrace-function-examples.html 例子参考
平日里用VS开发工具在调时在Debug下有一个选项Call Stack快捷键是Alt+7可以看出函数调用的来龙去脉,原来有一个这样原函数存在。
RtlCaptureStackBackTrace
The RtlCaptureStackBackTrace routine captures a stack back trace by walking up the stack and recording the information for each frame.
USHORT
RtlCaptureStackBackTrace(
__in ULONG FramesToSkip,
__in ULONG FramesToCapture,
__out_ecount(FramesToCapture) PVOID *BackTrace,
__out_opt PULONG BackTraceHash
);
Parameters
FramesToSkip- The number of frames to skip from the start of the back trace.
- The number of frames to be captured.
- An array of pointers captured from the current stack trace.
-
An optional value that can be used to organize hash tables. If this parameter is NULL, no hash value is computed.
This value is calculated based on the values of the pointers returned in the BackTrace array. Two identical stack traces will generate identical hash values.
Return Value
The number of captured frames.
Comments
The RtlCaptureStackBackTrace routine captures a stack back trace by walking up the stack and recording the information for each frame.
Important This is an exported function that MUST probe the ability to take page faults.
In Windows XP and Windows Server 2003, the sum of the FramesToSkip and FramesToCapture parameters must be less than 63.
Requirements
Versions: Available in Windows XP and later versions of the Windows operating systems.
IRQL: <= DISPATCH_LEVEL
Headers: Declared in Ntifs.h. Include Ntifs.h or FltKernel.h.
Library: Contained in Ntoskrnl.lib.
官方介绍:
RtlCaptureStackBackTrace function (ntifs.h)
The RtlCaptureStackBackTrace routine captures a stack trace by walking the stack and recording the information for each frame.
Syntax
NTSYSAPI USHORT RtlCaptureStackBackTrace(
[in] ULONG FramesToSkip,
[in] ULONG FramesToCapture,
[out] PVOID *BackTrace,
[out, optional] PULONG BackTraceHash
);
Parameters
[in] FramesToSkip
Number of frames to skip from the start (current call point) of the back trace.
[in] FramesToCapture
Number of frames to be captured.
[out] BackTrace
Caller-allocated array in which pointers to the return addresses captured from the current stack trace are returned.
[out, optional] BackTraceHash
Optional value that can be used to organize hash tables. If this parameter is NULL, RtlCaptureStackBackTrace does not compute and return a hash value.
This hash value is calculated based on the values of the pointers returned in the BackTrace array. Two identical stack traces will generate identical hash values.
Return value
The number of captured frames.
Remarks
RtlCaptureStackBackTrace captures a stack trace for the caller by walking the stack (walking back in call time), and recording information for each frame. Specifically, RtlCaptureStackBackTrace returns pointers to the return addresses of each call on the stack, where the first pointer in the BackTrace array points to the return address of the most recent call, and so on.
Back trace hash values can be used to quickly determine whether two stack traces are identical or different. You can use the hash returned in BackTraceHash to compare stack traces. If you don't want to use hashes, or want to compute your own hash values, set BackTraceHash to NULL.
Requirements
| Minimum supported client | Available in starting with Windows XP. |
| Target Platform | Universal |
| Header | ntifs.h (include Ntifs.h, FltKernel.h) |
| Library | NtosKrnl.lib; OneCoreUAP.lib on Windows 10 |
| DLL | NtDll.dll (user mode); NtosKrnl.exe (kernel mode) |
| IRQL | <= DISPATCH_LEVEL |
