get function args from x64 stack

WINDBG
1

Hi guys, i am new to windbg x64 debugging.
can i get function args from stack as i do in x32?

for example, in following stack
fffff80003cc9769 : 000000000000003b 00000000c0000005 fffff80003d53d70 fffff880072f4dc0 : nt!KeBugCheckEx fffff80003cc90bc : fffff880072f5568 fffff880072f4dc0 0000000000000000 fffff80003cf5320 : nt!KiBugCheckDispatch+0x69
fffff80003cf4e2d : fffff80003ee5074 0000000000000000 fffff80003c4b000 fffff880072f5568 : nt!KiSystemServiceHandler+0x7c fffff80003cf3c05 : fffff80003e11638 fffff880072f46f8 fffff880072f5568 fffff80003c4b000 : nt!RtlpExecuteHandlerForException+0xd
fffff80003d04b81 : fffff880072f5568 fffff880072f4dc0 fffff88000000000 0000000000000000 : nt!RtlDispatchException+0x415 fffff80003cc9842 : fffff880072f5568 0000000000000000 fffff880072f5610 fffffa8007a7e210 : nt!KiDispatchException+0x135
fffff80003cc83ba : 0000000000000000 0000000000000018 0000000000002000 0000000000000000 : nt!KiExceptionDispatch+0xc2 fffff80003d53d70 : fffff8800117d163 fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0 : nt!KiPageFault+0x23a
fffff8800117d163 : fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0 fffffa8006a7d4d0 : nt!FsRtlIsPagingFile fffff88001132067 : fffffa8007a7e330 0000000000000000 fffffa8007a7e160 0000000010000000 : fileinfo!FIPreReadWriteCallback+0xeb
fffff88001133329 : fffff880072f5a00 0000000000000004 0000000000000000 fffffa8007b76200 : fltmgr!FltpPerformPreCallbacks+0x2f7 fffff880011316c7 : fffffa800807b010 fffffa800469ad40 fffffa8004c26cb0 fffff880072f5a28 : fltmgr!FltpPassThrough+0x2d9
fffff80003fcdeab : 0000000000000001 fffffa800625c1f0 0000000000000001 fffffa800807b010 : fltmgr!FltpDispatch+0xb7 fffff80003fd8913 : fffffa800807b3f8 0000000000000000 fffffa800625c1f0 fffff880009e7180 : nt!IopSynchronousServiceTail+0xfb
fffff80003cc9453 : fffffa8007b76001 0000000000000000 0000000000000000 0000000000000000 : nt!NtWriteFile+0x7e2 00000000745a2e09 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x745a2e09

Where is the arg of FsRtlIsPagingFile?
i have this question because in x64 system, some args are passed in registers instead of stack, i wonder if windbg can track them correctly.

Thank you

2

Maybe yes, maybe no. See the following post:

http://analyze-v.com/?p=7

-scott


Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@windbg…

Hi guys, i am new to windbg x64 debugging.
can i get function args from stack as i do in x32?

for example, in following stack
fffff80003cc9769 : 000000000000003b 00000000c0000005 fffff80003d53d70
fffff880072f4dc0 : nt!KeBugCheckEx fffff80003cc90bc : fffff880072f5568 fffff880072f4dc0 0000000000000000 fffff80003cf5320 : nt!KiBugCheckDispatch+0x69
fffff80003cf4e2d : fffff80003ee5074 0000000000000000 fffff80003c4b000
fffff880072f5568 : nt!KiSystemServiceHandler+0x7c fffff80003cf3c05 : fffff80003e11638 fffff880072f46f8 fffff880072f5568 fffff80003c4b000 : nt!RtlpExecuteHandlerForException+0xd
fffff80003d04b81 : fffff880072f5568 fffff880072f4dc0 fffff88000000000
0000000000000000 : nt!RtlDispatchException+0x415 fffff80003cc9842 : fffff880072f5568 0000000000000000 fffff880072f5610 fffffa8007a7e210 : nt!KiDispatchException+0x135
fffff80003cc83ba : 0000000000000000 0000000000000018 0000000000002000
0000000000000000 : nt!KiExceptionDispatch+0xc2 fffff80003d53d70 : fffff8800117d163 fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0 : nt!KiPageFault+0x23a
fffff8800117d163 : fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0
fffffa8006a7d4d0 : nt!FsRtlIsPagingFile fffff88001132067 : fffffa8007a7e330 0000000000000000 fffffa8007a7e160 0000000010000000 : fileinfo!FIPreReadWriteCallback+0xeb
fffff88001133329 : fffff880072f5a00 0000000000000004 0000000000000000
fffffa8007b76200 : fltmgr!FltpPerformPreCallbacks+0x2f7 fffff880011316c7 : fffffa800807b010 fffffa800469ad40 fffffa8004c26cb0 fffff880072f5a28 : fltmgr!FltpPassThrough+0x2d9
fffff80003fcdeab : 0000000000000001 fffffa800625c1f0 0000000000000001
fffffa800807b010 : fltmgr!FltpDispatch+0xb7 fffff80003fd8913 : fffffa800807b3f8 0000000000000000 fffffa800625c1f0 fffff880009e7180 : nt!IopSynchronousServiceTail+0xfb
fffff80003cc9453 : fffffa8007b76001 0000000000000000 0000000000000000
0000000000000000 : nt!NtWriteFile+0x7e2 00000000745a2e09 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
0000000000000000 : 0000000000000000 0000000000000000 0000000000000000
00000000`00000000 : 0x745a2e09

Where is the arg of FsRtlIsPagingFile?
i have this question because in x64 system, some args are passed in
registers instead of stack, i wonder if windbg can track them correctly.

Thank you

3

xxxxx@hotmail.com wrote:

Hi guys, i am new to windbg x64 debugging.
can i get function args from stack as i do in x32?

The answer is “sometimes”. In the x64 calling convention, even though
the first four arguments are passed in registers, the calling function
still has to reserve room on the stack for 4 arguments. If the called
function needs to reuse those registers, he stores the original contents
in that reserved area. Thus, especially in a deep stack like this, the
dump often has the correct values.

Murphy’s Law says that all the entries will have the correct values,
except for the one function you need.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

The output below is from kb. For kd, windbg just blindly prints out the stack entries as the parameters. So for EBP chain unwinding in X86, it would match the parameter values; but you should not trust it on AMD64.

You could use kp/kP commands to get parameter values based on symbols.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Saturday, August 11, 2012 05:55 PM
To: Kernel Debugging Interest List
Subject: [windbg] get function args from x64 stack

Hi guys, i am new to windbg x64 debugging.
can i get function args from stack as i do in x32?

for example, in following stack
fffff80003cc9769 : 000000000000003b 00000000c0000005 fffff80003d53d70 fffff880072f4dc0 : nt!KeBugCheckEx fffff80003cc90bc : fffff880072f5568 fffff880072f4dc0 0000000000000000 fffff80003cf5320 : nt!KiBugCheckDispatch+0x69 fffff80003cf4e2d : fffff80003ee5074 0000000000000000 fffff80003c4b000 fffff880072f5568 : nt!KiSystemServiceHandler+0x7c fffff80003cf3c05 : fffff80003e11638 fffff880072f46f8 fffff880072f5568 fffff80003c4b000 : nt!RtlpExecuteHandlerForException+0xd
fffff80003d04b81 : fffff880072f5568 fffff880072f4dc0 fffff88000000000 0000000000000000 : nt!RtlDispatchException+0x415 fffff80003cc9842 : fffff880072f5568 0000000000000000 fffff880072f5610 fffffa8007a7e210 : nt!KiDispatchException+0x135 fffff80003cc83ba : 0000000000000000 0000000000000018 0000000000002000 0000000000000000 : nt!KiExceptionDispatch+0xc2 fffff80003d53d70 : fffff8800117d163 fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0 : nt!KiPageFault+0x23a
fffff8800117d163 : fffffa8080000001 fffffa8004a1c660 fffffa8007a7e2e0 fffffa8006a7d4d0 : nt!FsRtlIsPagingFile fffff88001132067 : fffffa8007a7e330 0000000000000000 fffffa8007a7e160 0000000010000000 : fileinfo!FIPreReadWriteCallback+0xeb
fffff88001133329 : fffff880072f5a00 0000000000000004 0000000000000000 fffffa8007b76200 : fltmgr!FltpPerformPreCallbacks+0x2f7 fffff880011316c7 : fffffa800807b010 fffffa800469ad40 fffffa8004c26cb0 fffff880072f5a28 : fltmgr!FltpPassThrough+0x2d9 fffff80003fcdeab : 0000000000000001 fffffa800625c1f0 0000000000000001 fffffa800807b010 : fltmgr!FltpDispatch+0xb7 fffff80003fd8913 : fffffa800807b3f8 0000000000000000 fffffa800625c1f0 fffff880009e7180 : nt!IopSynchronousServiceTail+0xfb
fffff80003cc9453 : fffffa8007b76001 0000000000000000 0000000000000000 0000000000000000 : nt!NtWriteFile+0x7e2 00000000745a2e09 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x745a2e09

Where is the arg of FsRtlIsPagingFile?
i have this question because in x64 system, some args are passed in registers instead of stack, i wonder if windbg can track them correctly.

Thank you

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

One way to know if a function stores the args in the caller’s reserved area is to look for at the callee’s prologue. You may see one or more of the following instructions:
module!callee:
mov qword ptr [rsp+08h],rcx
mov qword ptr [rsp+10h],rdx
mov qword ptr [rsp+18h],r8
mov qword ptr [rsp+20h],r9

All or some of the instruction above will show which arg is saved. The key is that arg1 (rcx) is stored at [rsp+08h]. Arg2 (rdx) at [rsp+10h], etc. Some of these will be present and some may not be. The optimizer may save only arg4 and nothing else. Function with more than 4 args will have Arg5 and above on the stack (but the trace is limited for the first few).
Base on that code you know which of the args in the debugger’s trace are for real and which are just a guess.

6

Hello,

Have a look at this debugger extension from CodeMachine.
http://www.codemachine.com/tool_cmkd.html

Thanks,
Arvind