Stack-frames of QueueUserAPC and SleepEx

KERNELBASE!QueueUserAPC

  • KERNELBASE!QueueUserAPC
    • KERNELBASE!__imp_RtlQueryInformationActivationContext
    • KERNELBASE!__imp_NtQueueApcThreadEx2 -> syscall

KERNELBASE!SleepEx

  • KERNELBASE!SleepEx
    • KERNELBASE!__imp_RtlActivateActivationContextUnsafeFast
    • ntdll!RtlDelayExecution
      • ntdll!NtDelayExecution -> syscall
        • ntdll!KiUserApcDispatch
          • ntdll!KiUserCallForwarder
          • ntdll!RtlDispatchAPC
            • ntdll!RtlActivateActivationContextUnsafeFast
            • ntdll!_guard_dispatch_icall$thunk$10345483385596137414 (APCQueue!APCProc) -> jmp APCQueue!APCProc
            • ntdll!RtlDeactivateActivationContextUnsafeFast
            • ntdll!RtlReleaseActivationContext
          • ntdll!NtContinueEx (7ffc907e0c50) -> syscall -> ntdll!KiUserApcDispatch APC큐가 empty 될 때까지 반복 호출

KERNELBASE!WriteFileEx

  • KERNELBASE!WriteFileEx
    • KERNELBASE!BasepAllocateActivationContextActivationBlock
      • KERNELBASE!__imp_RtlQueryInformationActivationContext
        • ntdll!RtlpGetActivationContextData
      • ntdll!RtlpQueryInformationActivationContextBasicInformation
        • ntdll!RtlAddRefActivationContext
    • KERNELBASE!__imp_NtWriteFile
      • 0f05 (syscall)

ucrtbase!_beginthreadex

  • ucrtbase!_beginthreadex
    • ucrtbase!create_thread_parameter
      • ucrtbase!_calloc_base (7ffd0bdedcf0)
        • qword ptr [ucrtbase!__imp_HeapAlloc (7ffd0be993c0)]
          • ntdll!RtlpAllocateHeapInternal:
            • ntdll!RtlpAllocateHeap (7ffd0e2dd160)
              • ntdll!RtlDebugAllocateHeap:
                • ntdll!RtlpCheckHeapSignature (7ffd0e30fa90)
              • ntdll!RtlEnterCriticalSection (7ffd0e2dfaa0)
              • ntdll!RtlpValidateHeap (7ffd0e3aa4a4)
              • ntdll!RtlAllocateHeap (7ffd0e2da9a0)
              • ntdll!RtlpValidateHeapHeaders (7ffd0e3aaa84)
              • ntdll!RtlpGetExtraStuffPointer (7ffd0e2b24b0)
              • ntdll!RtlLeaveCriticalSection (7ffd0e2df230)
      • ucrtbase!_free_base (7ffd0bdef040)
      • qword ptr [ucrtbase!__imp_GetModuleHandleExW (7ffd0be99400)]
    • qword ptr [ucrtbase!__imp_CreateThread (7ffd0be99560)]
      • ntdll!NtCreateThreadEx -> syscall

-----------------------------------

ntdll!RtlUserThreadStart

  • ntdll!RtlUserThreadStart
    • KERNEL32!BaseThreadInitThunk
      • ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>
        • ucrtbase!__acrt_getptd (7ffd0bdf2fe0)
        • ucrtbase!__crt_interlocked_read<long>
        • CriticalSectionSync!ThreadProc
        • ucrtbase!common_end_thread
        • ucrtbase!__acrt_FlsGetValue
      • ucrtbase!__imp_FreeLibraryAndExitThread






댓글

댓글 쓰기