Hi! Does anybody know if/how I can read from the callstack from a specific address? suppose I have a offset address from the base address of the callstack, how can I get the base address?
thanks :)
A:
This mightily depends on the platform ABI on which the executable is running. I'd recommend using one of the accepted disassembly tools for your platform of choice, these tools can usually help obtain such information. For example, IDA Pro for Windows and Linux.
Eli Bendersky
2010-09-25 08:05:22
I'm using C++ on windows, and i'm trying to do it programmatically...
Idov
2010-09-25 08:10:33
@Idov: still you should use a disassembly tool to see the offsets you're interested in. I doubt you'll get a cookbook solution here on SO
Eli Bendersky
2010-09-25 08:34:06
I'm using StackWalk64 to get the offset. :)
Idov
2010-09-25 08:38:10
A:
In windows, you have an API to walk the complete callstack:
See this example in codeproject.com
Javier
2010-09-25 09:45:36
Sorry, I do not have a Windows box to try this out inmediately, but is not the Offset parameter inside ADDRESS64 returned for AddrFrame exactly what you want? Unless you are using a old memory model, this would be directly the absolute position of the frame pointer. Am I wrong? :)
Javier
2010-09-25 10:36:54
Thanks Idov, I am afraid that I can test it right now... But this bit of the documentation confuses me "The offset into the segment, or a 32-bit virtual address. The interpretation of this value depends on the value contained in the Mode member." [http://msdn.microsoft.com/en-us/library/ms679272], so even if it called Offset, it looks like it contains the real, full address. Is that not the case? Thanks in advance.
Javier
2010-09-25 19:15:27
I don't know...I tried to read the stack from other proces using "ReadProcessMemory"and it didn't return the correct value...
Idov
2010-09-26 19:45:49
+1
A:
Base address of the stack is in the register ESP on Windows x86 architecture. You can view ESP in the 'Registers' Windows of VS debugger
Chubsdad
2010-09-25 09:47:19
So, if I have a relative address of frame pointer of some method (returned by StackWalk64), all I need to do in order to get the its absolute address is add the relative to the ESP?
Idov
2010-09-25 09:50:47
I'm sorry if it's a stupid question, but i'm a little confused right now...
Idov
2010-09-25 09:51:25
In x86 stack grows from higher memory to lower memory.So from EBP you would actually have to subtract / (or from ESP you would have to add)
Chubsdad
2010-09-25 09:56:58