It was a day like any other, the birds were singing, bees were trying to have sex with them (as is my understanding) and my code worked was in a working state, but not for much longer. The symbol handling part of the code was in need of a cleanup so I took the opportunity to change the symbol loading options so that the api used the more efficient (apparently) deferred loading instead of buliding the full symbol table on initialization. That’s when the pain started.
February 25, 2009
February 22, 2009
Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 3
We’ve covered how to grab a partial context for a kernel thread, and the construction of a driver, now it’s time to finally witness the fruits of our labour.
Comments Off on Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 3
February 14, 2009
Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 2
Last time, we discovered how Process Explorer gets a partial context for the kernel portions of a thread and wrote our own function that mimics it. By itself though, our code is useless; we need the rest of the driver in order to be able to use it, and that’s what we’ll be covering in this article.
Comments Off on Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 2
February 11, 2009
Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 1
If you’ve used Process Explorer chances are you’ve checked out a thread stack or two. If you’ve ever tried to implement something similar yourself, the combo of SuspendThread, GetThreadContext, ResumeThread, and StackWalk64 have more than likely done a sterling job getting a user mode trace. But what about further up the stack, or those threads locked in kernel mode?
Comments Off on Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 1