OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 9, 2007 18:17 CDT by quig .

anyway to programatically capture the data from the callstack window?

want to dump the full callstacks for every thread and dump to file for viewing.

started implementing from scratch from getting all threads, to manually walking the call stacks, but to go from return address to Findprocbegin, you have to run Analyzecode on every module you find which is slow and Findprocbegin didnt have that great of results.

I suppose i could try to popup the window from keyboard shortcuts and subclass the window or something but that would be messy i think :(

any thoughts?

anonymouse		April 10, 2007 05:34.57 CDT
i might have some half baked codes for printing call stacks on conditional breaks i was playing with this stuff for my modified commandline plugin some time ago as far as i remember ithink you can GetPluginvalue(SOMECONST) which would give a t_dump * to ACALLSTACK or probably i reversed and found that constant address anyway all the data is available already precooked all you have to do is do FindSorteddata( tsorted * ,..,) and then find the pointer to data form where you can take on with your own format printing ill post a quick dump of call stack and the respective data `Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012FFB8 00401027 <JMP.&KERNEL32.GetModuleHandleA> OLLYDBG.00401022 0012FFF0 0012FFBC 00000000 pModule = NULL` raw call stack details (size of each entry = 0x120) 02110000 B8 FF 12 00 01 00 00 00 00 00 00 01 27 10 40 00 ��.......'@. 02110010 FF FF FF FF 72 F0 4A 00 F0 FF 12 00 22 10 40 00 ��r�J.��."@. 02110020 00 00 40 00 34 E0 12 00 18 EE 90 7C F8 E0 96 7C [email protected]�.�\|��\| 02110030 FF FF FF FF D4 E0 96 7C D0 A5 94 7C 00 00 56 00 ��\|Х�\|..V. 02110040 61 00 00 50 BE 6A 92 7C 00 00 56 00 08 5C 56 00 a..P�j�\|..V.\V. 02110050 60 00 00 40 C0 DE 12 00 48 D8 5C 00 54 E0 12 00 `..@��.H�\.T�. 02110060 18 EE 90 7C C8 6A 92 7C FF FF FF FF BE 6A 92 7C �\|�j�\|��j�\| 02110070 AD 68 92 7C 00 00 56 00 60 00 00 40 6D 05 91 7C �h�\|..V.`..@m�\| 02110080 21 09 05 C3 48 D8 5C 00 00 00 00 00 B0 91 F1 77 !.�H�\.....��w 02110090 FF FF FF FF AC 91 F1 77 E4 DF 12 00 CD 8A F1 77 ��w��.͊�w 021100A0 01 00 00 00 E4 04 00 00 00 00 00 00 2A 5D 4B 00 ...�......]K. 021100B0 00 00 00 00 00 00 00 00 54 00 01 01 50 00 61 00 ........T.P.a. 021100C0 75 00 73 00 65 00 64 00 61 00 6C 00 6C 00 20 00 u.s.e.d.a.l.l. . 021100D0 73 00 74 00 61 00 63 00 6B 00 20 00 28 00 41 00 s.t.a.c.k. .(.A. 021100E0 6C 00 74 00 2B 00 4B 00 29 00 00 00 49 5E F1 77 l.t.+.K.)...I^�w 021100F0 00 00 00 00 44 E0 12 00 63 1B D5 77 06 06 00 4D ....D�.c�w.M 02110100 00 00 00 00 70 DF 12 00 C0 02 DA 77 04 E1 12 00 ....p�.��w�. 02110110 18 EE 90 7C C8 6A 92 7C FF FF FF FF BE 6A 92 7C �\|�j�\|��j�\| 02110120 BC FF 12 00 01 00 00 00 00 00 00 00 00 00 00 00 ��............ 02110130 00 00 00 00 72 F0 4A 00 F0 FF 12 00 22 10 40 00 ....r�J.��."@. 02110140 41 3D 70 4D 6F 64 75 6C 65 00 90 7C F8 E0 96 7C A=pModule.�\|��\| 02110150 FF FF FF FF D4 E0 96 7C D0 A5 94 7C 00 00 56 00 ��\|Х�\|..V. 02110160 61 00 00 50 BE 6A 92 7C 00 00 56 00 08 5C 56 00 a..P�j�\|..V.\V. 02110170 60 00 00 40 C0 DE 12 00 48 D8 5C 00 54 E0 12 00 `..@��.H�\.T�. 02110180 18 EE 90 7C C8 6A 92 7C FF FF FF FF BE 6A 92 7C �\|�j�\|��j�\| 02110190 AD 68 92 7C 00 00 56 00 60 00 00 40 6D 05 91 7C �h�\|..V.`..@m�\| 021101A0 21 09 05 C3 48 D8 5C 00 00 00 00 00 B0 91 F1 77 !.�H�\.....��w 021101B0 FF FF FF FF AC 91 F1 77 E4 DF 12 00 CD 8A F1 77 ��w��.͊�w 021101C0 01 00 00 00 E4 04 00 00 00 00 00 00 2A 5D 4B 00 ...�......]K. 021101D0 00 00 00 00 00 00 00 00 54 00 01 01 50 00 61 00 ........T.P.a. 021101E0 75 00 73 00 65 00 64 00 61 00 6C 00 6C 00 20 00 u.s.e.d.a.l.l. . 021101F0 73 00 74 00 61 00 63 00 6B 00 20 00 28 00 41 00 s.t.a.c.k. .(.A. 02110200 6C 00 74 00 2B 00 4B 00 29 00 00 00 49 5E F1 77 l.t.+.K.)...I^�w 02110210 00 00 00 00 44 E0 12 00 63 1B D5 77 06 06 00 4D ....D�.c�w.M 02110220 00 00 00 00 70 DF 12 00 C0 02 DA 77 04 E1 12 00 ....p�.��w�. 02110230 18 EE 90 7C C8 6A 92 7C FF FF FF FF BE 6A 92 7C �\|�j�\|��j�\| 2 entries == 0x240 bytes

quig		April 11, 2007 07:29.43 CDT
cool i will check it out thanks

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit