[madaboo]

Yeah I've found it already,

But it still doesn't solve the problem.. how about using RtlCaptureStackBackTrace .. any example of this api?

[rkhunter]

StartAddress field, this is a copy of ETHREAD->StartAddress

[Alex]

RtlCaptureStackBackTrace won't give you address of worker routine, if you look for real worker routine you can analyze thread stack looking for nt!PspSystemThreadStartup+0x34 address:

Code: Select all

kd> uf nt!PspSystemThreadStartup
nt!PspSystemThreadStartup:
805c628e 6a08            push    8
805c6290 68809e4d80      push    offset nt!ObWatchHandles+0x62c (804d9e80)
805c6295 e8161df7ff      call    nt!_SEH_prolog (80537fb0)
805c629a e87588f4ff      call    nt!MmAllowWorkingSetExpansion (8050eb14)
805c629f 32c9            xor     cl,cl
805c62a1 ff151c774d80    call    dword ptr [nt!_imp_KfLowerIrql (804d771c)]
805c62a7 64a124010000    mov     eax,dword ptr fs:[00000124h]
805c62ad 8bf0            mov     esi,eax
805c62af 8365fc00        and     dword ptr [ebp-4],0
805c62b3 f6864802000003  test    byte ptr [esi+248h],3
805c62ba 7506            jne     nt!PspSystemThreadStartup+0x34 (805c62c2)

nt!PspSystemThreadStartup+0x2e:
805c62bc ff750c          push    dword ptr [ebp+0Ch]
805c62bf ff5508          call    dword ptr [ebp+8]

nt!PspSystemThreadStartup+0x34:
805c62c2 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh <-- here
805c62c6 6a00            push    0
805c62c8 56              push    esi
805c62c9 e8b0290000      call    nt!PspTerminateThreadByPointer (805c8c7e)
805c62ce e8181df7ff      call    nt!_SEH_epilog (80537feb)
805c62d3 c20800          ret     8

And here is a piece of this thread's stack:

Code: Select all

kd> dt nt!_KTHREAD 8a5b9da8
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 MutantListHead   : _LIST_ENTRY [ 0x8a5b9db8 - 0x8a5b9db8 ]
   +0x018 InitialStack     : 0xba4f0000 Void
   +0x01c StackLimit       : 0xba4ed000 Void
   +0x020 Teb              : (null) 
   +0x024 TlsArray         : (null) 
   +0x028 KernelStack      : 0xba4efd1c Void
   +0x02c DebugActive      : 0 ''
...

...
ba4efd10  ffffffff cd402efc 00000003 ba4efdcc  ......@.......N.
ba4efd20  00200246 805418c2 ba4efd6c 8a5b9da8  F. ...T.l.N...[.
ba4efd30  ffdff120 8055b1fc 80500cf0 8a5b9e18   .....U...P...[.
ba4efd40  8a5b9da8 804fb2c6 8054cfe0 8055b1fc  ..[...O...T...U.
ba4efd50  8a5b9da8 00000000 8055a1a0 ba4efdac  ..[.......U...N.
ba4efd60  805cdbc7 00000000 8055b20c ba4efdac  ..\.......U...N.
ba4efd70  80534c76 00000001 bad86901 00000000  vLS......i......
ba4efd80  00000000 8a5b9da8 00000000 bb5fffeb  ......[......._.
ba4efd90  fcedfef9 bad86901 8055b234 00000000  .....i..4.U.....
ba4efda0  8a5b9da8 00000000 [805bc020] ba4efddc  ..[..... .[...N. <-- here is an address of worker routine (nt!PopUserPresentSetWorker)
ba4efdb0  [805c62c2] 00000001 00000000 00000000  .b\............. <-- nt!PspSystemThreadStartup+0x34
ba4efdc0  00000000 ba4efdb8 af7165f5 ffffffff  ......N..eq.....
ba4efdd0  80535ee0 804d9e80 00000000 00000000  .^S...M.........
ba4efde0  80541e82 80534ba0 00000001 00000000  ..T..KS.........
ba4efdf0  0020027f 00000000 00000000 00000000  .. .............
ba4efe00  00000000 00000000 00001f80 0000ffff  ................
...

kd> u 805bc020
nt!PopUserPresentSetWorker:
805bc020 8bff            mov     edi,edi
805bc022 56              push    esi
805bc023 8b35d8cf5480    mov     esi,dword ptr [nt!PopSwitches (8054cfd8)]
805bc029 57              push    edi
805bc02a bfd8cf5480      mov     edi,offset nt!PopSwitches (8054cfd8)
805bc02f eb21            jmp     nt!PopUserPresentSetWorker+0x32 (805bc052)
805bc031 f6461004        test    byte ptr [esi+10h],4
805bc035 7419            je      nt!PopUserPresentSetWorker+0x30 (805bc050)
...

[madaboo]

Alex,

Thank you again for your valuable input.
Acctually RtlCaptureStackBackTrace does the job for me- since it's giving me a place from worker routine (yeah it is not startup routine, but I can still recoginze from which module it is, and it is enough for me) :)


Thank you so much for eveyone.