进程注入检测 —— RtlCaptureStackBackTrace 获取当前函数的调用栈函数

https://stackoverflow.com/questions/590160/how-to-log-stack-frames-with-windows-x64

https://cpp.hotexamples.com/examples/-/-/RtlCaptureStackBackTrace/cpp-rtlcapturestackbacktrace-function-examples.html 例子参考

平日里用VS开发工具在调时在Debug下有一个选项Call Stack快捷键是Alt+7可以看出函数调用的来龙去脉，原来有一个这样原函数存在。

RtlCaptureStackBackTrace

The RtlCaptureStackBackTrace routine captures a stack back trace by walking up the stack and recording the information for each frame.

USHORT
RtlCaptureStackBackTrace(
__in ULONG FramesToSkip,
__in ULONG FramesToCapture,
__out_ecount(FramesToCapture) PVOID *BackTrace,
__out_opt PULONG BackTraceHash
);

Parameters

FramesToSkip

The number of frames to skip from the start of the back trace.

FramesToCapture

The number of frames to be captured.

BackTrace

An array of pointers captured from the current stack trace.

BackTraceHash

An optional value that can be used to organize hash tables. If this parameter is NULL, no hash value is computed.

This value is calculated based on the values of the pointers returned in the BackTrace array. Two identical stack traces will generate identical hash values.

Return Value

The number of captured frames.

Comments

The RtlCaptureStackBackTrace routine captures a stack back trace by walking up the stack and recording the information for each frame.

Important This is an exported function that MUST probe the ability to take page faults.

In Windows XP and Windows Server 2003, the sum of the FramesToSkip and FramesToCapture parameters must be less than 63.

Requirements

Versions: Available in Windows XP and later versions of the Windows operating systems.

IRQL: <= DISPATCH_LEVEL

Headers: Declared in Ntifs.h. Include Ntifs.h or FltKernel.h.

Library: Contained in Ntoskrnl.lib.

官方介绍：

RtlCaptureStackBackTrace function (ntifs.h)

Article
10/22/2021
2 minutes to read

The RtlCaptureStackBackTrace routine captures a stack trace by walking the stack and recording the information for each frame.

Syntax

C++

NTSYSAPI USHORT RtlCaptureStackBackTrace(
  [in]            ULONG  FramesToSkip,
  [in]            ULONG  FramesToCapture,
  [out]           PVOID  *BackTrace,
  [out, optional] PULONG BackTraceHash
);

Parameters

[in] FramesToSkip

Number of frames to skip from the start (current call point) of the back trace.

[in] FramesToCapture

Number of frames to be captured.

[out] BackTrace

Caller-allocated array in which pointers to the return addresses captured from the current stack trace are returned.

[out, optional] BackTraceHash

Optional value that can be used to organize hash tables. If this parameter is NULL, RtlCaptureStackBackTrace does not compute and return a hash value.

This hash value is calculated based on the values of the pointers returned in the BackTrace array. Two identical stack traces will generate identical hash values.

Return value

The number of captured frames.

Remarks

RtlCaptureStackBackTrace captures a stack trace for the caller by walking the stack (walking back in call time), and recording information for each frame. Specifically, RtlCaptureStackBackTrace returns pointers to the return addresses of each call on the stack, where the first pointer in the BackTrace array points to the return address of the most recent call, and so on.

Back trace hash values can be used to quickly determine whether two stack traces are identical or different. You can use the hash returned in BackTraceHash to compare stack traces. If you don't want to use hashes, or want to compute your own hash values, set BackTraceHash to NULL.

Requirements


Minimum supported client	Available in starting with Windows XP.
Target Platform	Universal
Header	ntifs.h (include Ntifs.h, FltKernel.h)
Library	NtosKrnl.lib; OneCoreUAP.lib on Windows 10
DLL	NtDll.dll (user mode); NtosKrnl.exe (kernel mode)
IRQL	<= DISPATCH_LEVEL