When trying to understand closed-source binaries or collecting diagnostic data, it can be useful to capture a detailed call stack trace at any given point - especially from a function hook. The Vezel.Ruptura.Memory package provides the CallTrace
API to do exactly that. For example:
This will print something like:
Of course, the captured CallTrace
object has plenty of details that you can inspect programmatically. For example, you could print a bit more information about the RIP
, RSP
, and RBP
registers in each CallFrame
:
You will now get:
CallTrace
tries very hard internally to fill in as much information as it can. For managed frames, information is pulled from CoreCLR internals, while for unmanaged frames, the DbgHelp library will consult export names, symbol files, etc. These are implemented in the ManagedCallFrameSymbolicator
and NativeCallFrameSymbolicator
singleton classes, respectively, and both derive from the CallFrameSymbolicator
class.
There is a CallTrace.Capture()
overload that allows you to specify the CallFrameSymbolicator
instances you would like to use in a call trace instead of or in addition to the aforementioned two. This allows you to implement your own symbolicators that can pull on whatever data you would like. For instance, you could symbolicate based on signature matching, or based on a symbol table manually constructed from reverse engineering.
For NativeCallFrameSymbolicator
, it is worth noting that the DbgHelp library shipped with Windows does not have symbol server support (symsrv.dll
). That is why the call traces above had rather poor, export-based symbolication for coreclr.dll
and related libraries.
If you obtain a standalone version of the DbgHelp library consisting of dbghelp.dll
and symsrv.dll
, you can simply drop them into your application directory and Ruptura will pick them up. Setting the _NT_SYMBOL_PATH
environment variable to https://msdl.microsoft.com/download/symbols
or similar will then enable symsrv.dll
to actually download Microsoft symbol files. Doing that, you will get a much better call trace: