Tag Archive for 'stack trace'

[debuging tip] Manual Stack Trace and Hooking Module

Published
by
admin
on 10월 30, 2008
in Debugging Windows
. Comments

인터넷 Banking을 하려고 하는데 무슨 이유에서인지 IE가 계속 멈춰버리 더군요. 멀까 하고 덤프를 만들었는데 재미있는 Stack을 발견했습니다. 이 Stack을 가지고 한번 분석을 해보았죠.

0:029> !ntsdexts.locks

CritSec ntdll!LdrpLoaderLock+0 at 7c9ab178
LockCount 7
RecursionCount 1
OwningThread a10
EntryCount 5b
ContentionCount 5b
*** Locked

*** ERROR: Symbol file could not be found. Defaulted to export symbols for Flash9f.ocx -
CritSec Flash9f!pcre_stack_free+48f4 at 302b7d50
LockCount 0
RecursionCount 1
OwningThread 7c0
EntryCount 0
ContentionCount 0
*** Locked

locks Command를 이용해서 CS 정보를 었었습니다. LockCount가 무려 7 !!!  7개의 Thread 가 Waiting 상태군요!!7c9ab178 CS의 OwningThread인 a10을 봐봐야 겠군요 이 녀석이 어떤 이유에서 멈춰 있는듯합니다.

  29 Id: 9e0.a10 Suspend: 1 Teb: 7ff94000 Unfrozen
# ChildEBP RetAddr Args to Child
00 08d6fac8 7c93df3c 7c8025db 00000480 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 08d6facc 7c8025db 00000480 00000000 08d6fb00 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 08d6fb30 7c802542 00000480 00002710 00000000 kernel32!WaitForSingleObjectEx+0xa8 (FPO: [Non-Fpo])
03 08d6fb44 0aad7c5c 00000480 00002710 00000000 kernel32!WaitForSingleObject+0×12 (FPO: [Non-Fpo])
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mdnsNSP.dll -
WARNING: Frame IP not in any known module. Following frames may be wrong.
04 08d6fbc8 160851bf 16080000 00000002 00000000 0xaad7c5c
05 08d6fc08 16085279 16080000 7c93118a 16080000 mdnsNSP!NSPStartup+0×254f
06 08d6fc30 7c94b175 1608525c 16080000 00000002 mdnsNSP!NSPStartup+0×2609
07 08d6fca4 7c94afee 08d6fd30 08d6fd30 657a6aa0 ntdll!LdrpInitializeThread+0xc0 (FPO: [Non-Fpo])
08 08d6fd1c 7c93e437 08d6fd30 7c930000 00000000 ntdll!_LdrpInitialize+0×219 (FPO: [Non-Fpo])
09 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0×7

ntdll!KiUserApcDispatcher과 ntdll!LdrpInitializeThread를 볼때 Thread 생성중 InMemoryOrderLinks에 존재하는  DLL Entry를 실행하고 있다는 것을 알 수 있습니다.  하지만 문제를 발생시킨 부분이 깨져보이는군요. Manual Stack Trace를 해보아야 겠군요. ( 어떨결에 잘못보면 mdnsNSP에서 문제가 발생한 것으로 오인할 수 있으니 주의 하시길… )

0:029> !teb
TEB at 7ff94000
ExceptionList: 08d6fb20
StackBase: 08d70000
StackLimit: 08d62000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ff94000
EnvironmentPointer: 00000000
ClientId: 000009e0 . 00000a10
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7ffd5000
LastErrorValue: 0
LastStatusValue: c0000046
Count Owned Locks: 0
HardErrorMode: 0
0:029> dps 08d62000 08d70000

08d6fb18 08d6fae0
08d6fb1c 00006bb7
08d6fb20 08d6fbf8
08d6fb24 7c839ac0 kernel32!_except_handler3
08d6fb28 7c802608 kernel32!`string’+0xd0
08d6fb2c 00000000
08d6fb30 08d6fb44
08d6fb34 7c802542 kernel32!WaitForSingleObject+0×12
08d6fb38 00000480
08d6fb3c 00002710
08d6fb40 00000000
08d6fb44 08d6fbc8
08d6fb48 0aad7c5c
08d6fb4c 00000480
08d6fb50 00002710
08d6fb54 00000000
08d6fb58 7c800000 kernel32!_imp___wcsnicmp <PERF> (kernel32+0×0)
08d6fb5c 0aad791b
08d6fb60 0ab00000
08d6fb64 00000006
08d6fb68 08d6fb74
08d6fb6c 0000000c
08d6fb70 7c943405 ntdll!RtlDecodePointer
08d6fb74 7c800000 kernel32!_imp___wcsnicmp <PERF> (kernel32+0×0)
08d6fb78 1609b9ac mdnsNSP!NSPStartup+0×18d3c
08d6fb7c 00000000
08d6fb80 0aad80cb
08d6fb84 7c800000 kernel32!_imp___wcsnicmp <PERF> (kernel32+0×0)
08d6fb88 1609b9ac mdnsNSP!NSPStartup+0×18d3c
08d6fb8c 00000000
08d6fb90 7c8097d0 kernel32!TlsGetValue
08d6fb94 16080000 mdnsNSP
08d6fb98 1608956f mdnsNSP!NSPStartup+0×68ff
08d6fb9c 7c800000 kernel32!_imp___wcsnicmp <PERF> (kernel32+0×0)
08d6fba0 1609b9ac mdnsNSP!NSPStartup+0×18d3c
08d6fba4 032c6708
08d6fba8 16085126 mdnsNSP!NSPStartup+0×24b6
08d6fbac 565f744f
08d6fbb0 00000031
08d6fbb4 032c6708
08d6fbb8 00000000
08d6fbbc 00000002
08d6fbc0 16080000 mdnsNSP
08d6fbc4 00000000
08d6fbc8 08d6fc08
08d6fbcc 160851bf mdnsNSP!NSPStartup+0×254f
08d6fbd0 16080000 mdnsNSP
08d6fbd4 00000002
08d6fbd8 00000000
08d6fbdc 4765a141
08d6fbe0 00000000
08d6fbe4 08d6fc24
08d6fbe8 7ffd5000
08d6fbec 00000001
08d6fbf0 08d6fbdc
08d6fbf4 76f11178 WLDAP32!_DllMainCRTStartup+0×52
08d6fbf8 08d6fc94
08d6fbfc 16083400 mdnsNSP!NSPStartup+0×790
08d6fc00 59ba9289
08d6fc04 00000000
08d6fc08 08d6fc30
08d6fc0c 16085279 mdnsNSP!NSPStartup+0×2609
08d6fc10 16080000 mdnsNSP
08d6fc14 7c93118a ntdll!LdrpCallInitRoutine+0×14
08d6fc18 16080000 mdnsNSP
08d6fc1c 00000002
08d6fc20 00000000
08d6fc24 7ffd5000
08d6fc28 00000000
08d6fc2c 00255a98
08d6fc30 08d6fca4
08d6fc34 7c94b175 ntdll!LdrpInitializeThread+0xc0
08d6fc38 1608525c mdnsNSP!NSPStartup+0×25ec
08d6fc3c 16080000 mdnsNSP
08d6fc40 00000002
08d6fc44 00000000
08d6fc48 7ff94000
08d6fc4c 7ffd5000
08d6fc50 00000000
08d6fc54 00000014
08d6fc58 00000001
08d6fc5c 00000000
08d6fc60 001da9c8
08d6fc64 00000000
08d6fc68 00000000
08d6fc6c 00000000
08d6fc70 00000000
08d6fc74 00000000
08d6fc78 00000000
08d6fc7c 00000000
08d6fc80 7ffd5000
08d6fc84 1608525c mdnsNSP!NSPStartup+0×25ec
08d6fc88 00255a98
08d6fc8c 08d6fc48
08d6fc90 00000000


Windbg에서 보여주고 있는 부분은 0xaad7c5c 부분입니다만 실제로 mdnsNSP!NSPStartup+0×254f 영역에서 호출한 함수는 mdnsNSP!NSPStartup+0×231d 이 부분 입니다. 그렇다면 이 Function이 호출된 것은 Stack 상에 어디에 나타 날까 ?

 0:029> ub mdnsNSP!NSPStartup+0x254f
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mdnsNSP.dll -
mdnsNSP!NSPStartup+0x2538:
160851a8 ffd0 call eax
160851aa 8945e4 mov dword ptr [ebp-1Ch],eax
160851ad 837de400 cmp dword ptr [ebp-1Ch],0
160851b1 0f8496000000 je mdnsNSP!NSPStartup+0×25dd (1608524d)
160851b7 57 push edi
160851b8 56 push esi
160851b9 53 push ebx
160851ba e8cefdffff call mdnsNSP!NSPStartup+0×231d (16084f8d)

0:029> uf mdnsNSP!NSPStartup+0×231d
mdnsNSP!NSPStartup+0×231d:
16084f8d 55 push ebp
16084f8e 8bec mov ebp,esp
16084f90 51 push ecx
16084f91 8b450c mov eax,dword ptr [ebp+0Ch]
16084f94 83f801 cmp eax,1
16084f97 53 push ebx
16084f98 56 push esi
…생략
mdnsNSP!NSPStartup+0×24e5:
16085155 57 push edi
16085156 e83c470000 call mdnsNSP!NSPStartup+0×6c27 (16089897)
1608515b 59 pop ecx

mdnsNSP!NSPStartup+0×24ec:
1608515c 33c0 xor eax,eax
1608515e 40 inc eax

mdnsNSP!NSPStartup+0×24ef:
1608515f 5f pop edi
16085160 5e pop esi
16085161 5b pop ebx
16085162 c9 leave
16085163 c20c00 ret 0Ch
mdnsNSP!NSPStartup+0×231d 함수가 메모리 상에 실제 위치하는 영역은 16084f8d  부터 16085163 부분 이군요 그럼 이 부분 Stack상에 어디에 표시되어 있을까 ?

...
08d6fb90 7c8097d0 kernel32!TlsGetValue
08d6fb94 16080000 mdnsNSP
08d6fb98 1608956f mdnsNSP!NSPStartup+0×68ff
08d6fb9c 7c800000 kernel32!_imp___wcsnicmp <PERF> (kernel32+0×0)
08d6fba0 1609b9ac mdnsNSP!NSPStartup+0×18d3c
08d6fba4 032c6708
08d6fba8 16085126 mdnsNSP!NSPStartup+0×24b6

Stack상에 그 영역의 값을 가지는 것이 보이는군요. 그럼 다시 mdnsNSP!NSPStartup+0×24b6 위치에서 호출되진 함수를 보죠.

0:029> ub mdnsNSP!NSPStartup+0x24b6
mdnsNSP!NSPStartup+0x249a:
1608510a 3bf7 cmp esi,edi
1608510c 59 pop ecx
1608510d 59 pop ecx
1608510e 0f84a9feffff je mdnsNSP!NSPStartup+0x234d (16084fbd)
16085114 56 push esi
16085115 ff3538fc0916 push dword ptr [mdnsNSP!NSPStartup+0x1cfc8 (1609fc38)]
1608511b ff350c090a16 push dword ptr [mdnsNSP!NSPStartup+0x1dc9c (160a090c)]
16085121 e8fa430000 call mdnsNSP!NSPStartup+0×68b0 (16089520)

0:029> uf mdnsNSP!NSPStartup+0×68b0
mdnsNSP!NSPStartup+0×68b0:
16089520 56 push esi
16089521 ff353cfc0916 push dword ptr [mdnsNSP!NSPStartup+0x1cfcc (1609fc3c)]
16089527 8b35ecb00916 mov esi,dword ptr [mdnsNSP!NSPStartup+0x1847c (1609b0ec)]
1608952d ffd6 call esi
1608952f 85c0 test eax,eax
16089531 7421 je mdnsNSP!NSPStartup+0×68e4 (16089554)

mdnsNSP!NSPStartup+0×68c3:
16089533 a138fc0916 mov eax,dword ptr [mdnsNSP!NSPStartup+0x1cfc8 (1609fc38)]
16089538 83f8ff cmp eax,0FFFFFFFFh
1608953b 7417 je mdnsNSP!NSPStartup+0×68e4 (16089554)

mdnsNSP!NSPStartup+0×68cd:
1608953d 50 push eax
1608953e ff353cfc0916 push dword ptr [mdnsNSP!NSPStartup+0x1cfcc (1609fc3c)]
16089544 ffd6 call esi
16089546 ffd0 call eax
16089548 85c0 test eax,eax
1608954a 7408 je mdnsNSP!NSPStartup+0×68e4 (16089554)

mdnsNSP!NSPStartup+0×68dc:
1608954c 8b80fc010000 mov eax,dword ptr [eax+1FCh]
16089552 eb1b jmp mdnsNSP!NSPStartup+0×68ff (1608956f)

mdnsNSP!NSPStartup+0×68e4:
16089554 689cb90916 push offset mdnsNSP!NSPStartup+0×18d2c (1609b99c)
16089559 ff15d0b00916 call dword ptr [mdnsNSP!NSPStartup+0x18460 (1609b0d0)]
1608955f 85c0 test eax,eax
16089561 741a je mdnsNSP!NSPStartup+0×690d (1608957d)

mdnsNSP!NSPStartup+0×68f3:
16089563 68acb90916 push offset mdnsNSP!NSPStartup+0×18d3c (1609b9ac)
16089568 50 push eax
16089569 ff1558b00916 call dword ptr [mdnsNSP!NSPStartup+0x183e8 (1609b058)]

mdnsNSP!NSPStartup+0×68ff:
1608956f 85c0 test eax,eax
16089571 740a je mdnsNSP!NSPStartup+0×690d (1608957d)

mdnsNSP!NSPStartup+0×6903:
16089573 ff742408 push dword ptr [esp+8]
16089577 ffd0 call eax
16089579 89442408 mov dword ptr [esp+8],eax

mdnsNSP!NSPStartup+0×690d:
1608957d 8b442408 mov eax,dword ptr [esp+8]
16089581 5e pop esi
16089582 c3 ret

같은 방법으로 mdnsNSP!NSPStartup+0×68b0 Function내에 Address를 나타내는 Return Address를 Raw Stack에서 발견할 수 있죠. ( mdnsNSP!NSPStartup+0×68ff 값을요 … )  mdnsNSP!NSPStartup+0×68ff값을 Return Address로 가지는 함수 Call을 찾아 보면 정말 문제를 일으킨 원인이 대략적으로 보여지겠죠.

0:029> dd 1609b058
1609b058 0aad8085 0aad7ee5 7c809f81 7c8097f6
1609b068 7c809a1d 7c8099bf 7c80981e 7c812a99
1609b078 7c93ff0d 7c949b80 7c9400a4 7c8097b8
1609b088 7c812fad 7c812b6e 7c80ac51 7c801e1a
1609b098 7c80de85 7c863e6a 7c8449fd 7c813123
1609b0a8 7c810f88 7c812c46 7c809b74 7c861c00
1609b0b8 7c809ae1 7c95aba5 7c80cd27 7c812fc9
1609b0c8 7c810ee1 7c833490 7c80b731 7c81cafa

0:029> dps 1609b048
1609b048 7c80a0ed kernel32!WaitForMultipleObjects
1609b04c 7c83089d kernel32!CreateEventA
1609b050 7c80a164 kernel32!WideCharToMultiByte
1609b054 7c814f7a kernel32!GetSystemDirectoryA
1609b058 0aad8085
1609b05c 0aad7ee5
1609b060 7c809f81 kernel32!InitializeCriticalSection
1609b064 7c8097f6 kernel32!InterlockedIncrement
1609b068 7c809a1d kernel32!LocalAlloc
1609b06c 7c8099bf kernel32!LocalFree
1609b070 7c80981e kernel32!InterlockedExchange
1609b074 7c812a99 kernel32!RaiseException
1609b078 7c93ff0d ntdll!RtlFreeHeap
1609b07c 7c949b80 ntdll!RtlReAllocateHeap
1609b080 7c9400a4 ntdll!RtlAllocateHeap
1609b084 7c8097b8 kernel32!GetCurrentThreadId
1609b088 7c812fad kernel32!GetCommandLineA
1609b08c 7c812b6e kernel32!GetVersionExA
1609b090 7c80ac51 kernel32!GetProcessHeap
1609b094 7c801e1a kernel32!TerminateProcess
1609b098 7c80de85 kernel32!GetCurrentProcess
1609b09c 7c863e6a kernel32!UnhandledExceptionFilter
1609b0a0 7c8449fd kernel32!SetUnhandledExceptionFilter
1609b0a4 7c813123 kernel32!IsDebuggerPresent
1609b0a8 7c810f88 kernel32!HeapDestroy
1609b0ac 7c812c46 kernel32!HeapCreate
1609b0b0 7c809b74 kernel32!VirtualFree
1609b0b4 7c861c00 kernel32!FatalAppExitA
1609b0b8 7c809ae1 kernel32!VirtualAlloc
1609b0bc 7c95aba5 ntdll!RtlUnwind
1609b0c0 7c80cd27 kernel32!LockResource
1609b0c4 7c812fc9 kernel32!GetStdHandle

0:029> lmv m mdnsNSP
start end module name
16080000 160a5000 mdnsNSP (export symbols) mdnsNSP.dll
Loaded symbol image file: mdnsNSP.dll
Image path: C:\Program Files\Bonjour\mdnsNSP.dll
Image name: mdnsNSP.dll
Timestamp: Fri Aug 15 07:54:04 2008 (48A4B78C)
CheckSum: 0002A010
ImageSize: 00025000
File version: 1.0.5.11
Product version: 1.0.5.11
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Apple Inc.
ProductName: Bonjour
InternalName: mdnsNSP.dll
OriginalFilename: mdnsNSP.dll
ProductVersion: 1,0,5,11
FileVersion: 1,0,5,11
FileDescription: Bonjour Namespace Provider
LegalCopyright: Copyright (C) 2003-2008 Apple Inc.

대략적으로 7c로 지작하는 주소들이 쭉있는것으로 봐서 mdnsNSP의 Import된 Function 임을 추정할 수 있습니다. 그런데 이상한점은 실제로 Call되어지는 함수는 어떤모듈에 의해서 Hooking 되어 졌군요.

0aa90000 0aac0000 Foo.dll ( 실제 이름은 Foo가 아닙니다. )
Timestamp: Thu Jan 01 09:00:01 1970 (00000001)
Checksum: 00000000

0aad8085의 위치는 Foo.dll의 영역이군요. 원인이된 부분은 바로 Foo.dll의 Hooking Function중 하나겠군요  !!! ( 그런데 아쉽게 Unload 되어 졌군요. 무슨 이유에서인지 Waiting 상태에서 Unload된것으로 보여지는군요. ) 만약 Waiting이 풀렸더라도 Exception….

[windbg] Raw Stack Trace - dds , ebp

Published
by
admin
on 4월 30, 2008
in Debugging Windows
. Comments

많은 분들이 Raw Stack Trace에 대해서 궁금해 하시더군요. Stack 만 보고 어찌 Trace를 하냐고 .. Stack이 깨지 않는 이상 Raw Stack Trace를 하는 경우는 거의 없습니다. 물론 간혹 중간 중간의 Data가 깨져서 안보일 경우는 Raw Stack Trace를 해줘야하지만요 .

0:000> ~0kvn 50
# ChildEBP RetAddr Args to Child
00 0013ef14 77cf9418 77d0dba8 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0013ef4c 77d0593f 00060156 00000000 00000001 USER32!NtUserWaitMessage+0xc
02 0013ef74 77d1a91e 77cf0000 00194538 00000000 USER32!InternalDialogBox+0xd0 (FPO: [Non-Fpo])
03 0013f234 77d1a284 0013f390 0013f508 0013f430 USER32!SoftModalMessageBox+0×938 (FPO: [Non-Fpo])
04 0013f384 77d461d3 0013f390 00000028 00000000 USER32!MessageBoxWorker+0×2ba (FPO: [Non-Fpo])
05 0013f3dc 77d305f3 00000000 0069a6e0 0069a6ec USER32!MessageBoxTimeoutW+0×7a (FPO: [Non-Fpo])
06 0013f3fc 77d4634f 00000000 0069a6e0 0069a6ec USER32!MessageBoxExW+0×1b (FPO: [Non-Fpo])
07 0013f418 004edc49 00000000 0069a6e0 0069a6ec USER32!MessageBoxW+0×45 (FPO: [Non-Fpo])
08 0013f508 004f9fb0 00000000 00000176 00000004 PackerTest!CPackerTestDlg::OnBnClickedOk+0×39 (FPO: [Non-Fpo]) (CONV: thiscall) [e:\per\packertest\packertest\packertestdlg.cpp @ 156]
09 0013f54c 004fa6ef 0013fe18 00000001 00000000 PackerTest!_AfxDispatchCmdMsg+0xb0 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 82]
0a 0013f5b0 004fff21 00000001 00000000 00000000 PackerTest!CCmdTarget::OnCmdMsg+0×2df (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 381]
0b 0013f5ec 0050b20d 00000001 00000000 00000000 PackerTest!CDialog::OnCmdMsg+0×21 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 85]
0c 0013f650 0050a197 00000001 000a0220 a3ca6afd PackerTest!CWnd::OnCommand+0×16d (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2300]
0d 0013f788 0050a0f0 00000111 00000001 000a0220 PackerTest!CWnd::OnWndMsg+0×77 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 1755]
0e 0013f7a8 005075ee 00000111 00000001 000a0220 PackerTest!CWnd::WindowProc+0×30 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 1741]
0f 0013f824 00507af4 0013fe18 00080148 00000111 PackerTest!AfxCallWndProc+0xee (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 240]
10 0013f844 77cf8734 00080148 00000111 00000001 PackerTest!AfxWndProc+0xa4 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 389]
11 0013f870 77cf8816 004dbe1a 00080148 00000111 USER32!InternalCallWinProc+0×28
12 0013f8d8 77cfb4c0 00000000 004dbe1a 00080148 USER32!UserCallWinProcCheckWow+0×150 (FPO: [Non-Fpo])
13 0013f92c 77cfb50c 0098f2a0 00000111 00000001 USER32!DispatchClientMessage+0xa3 (FPO: [Non-Fpo])
14 0013f954 7c93eae3 0013f964 00000018 0098f2a0 USER32!__fnDWORD+0×24 (FPO: [Non-Fpo])
15 0013f978 77cf94be 77cfd4e4 00080148 00000111 ntdll!KiUserCallbackDispatcher+0×13 (FPO: [0,0,0])
16 0013f9b4 77cfb903 0098f2a0 00000111 00000001 USER32!NtUserMessageCall+0xc
17 0013f9d4 77187344 00080148 00000111 00000001 USER32!SendMessageW+0×7f (FPO: [Non-Fpo])
18 0013f9f4 77187426 0018b7c0 00000000 000c002a COMCTL32!Button_NotifyParent+0×3d (FPO: [Non-Fpo])
19 0013fa10 7718972b 0018b7c0 00000001 0013fb08 COMCTL32!Button_ReleaseCapture+0xd7 (FPO: [Non-Fpo])
1a 0013faa0 77cf8734 000a0220 00000202 00000000 COMCTL32!Button_WndProc+0×887 (FPO: [Non-Fpo])
1b 0013facc 77cf8816 77188ea4 000a0220 00000202 USER32!InternalCallWinProc+0×28
1c 0013fb34 77cf89cd 00000000 77188ea4 000a0220 USER32!UserCallWinProcCheckWow+0×150 (FPO: [Non-Fpo])
1d 0013fb94 77cf8a10 00188cb8 00000000 0013fbc8 USER32!DispatchMessageWorker+0×306 (FPO: [Non-Fpo])
1e 0013fba4 77d0d99d 00188cb8 7ffdb000 0013fd2c USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
1f 0013fbc8 0051f4e1 00080148 00a2fb28 77cfb970 USER32!IsDialogMessageW+0×572 (FPO: [Non-Fpo])
20 0013fbe0 0050f8ec 00188cb8 0013fe18 0013fc08 PackerTest!CWnd::IsDialogMessageW+0×71 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winocc.cpp @ 198]
21 0013fbf0 004ffeed 00188cb8 0013fe18 0013fe18 PackerTest!CWnd::PreTranslateInput+0×6c (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4268]
22 0013fc08 0050c36b 00188cb8 0013fe18 00080148 PackerTest!CDialog::PreTranslateMessage+0xed (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 80]
23 0013fc1c 004fbddd 00080148 00188cb8 0013fc3c PackerTest!CWnd::WalkPreTranslateTree+0×8b (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2882]
24 0013fc38 004fcdc3 00188cb8 00783e40 0013fc58 PackerTest!AfxInternalPreTranslateMessage+0×4d (FPO: [Non-Fpo]) (CONV: cdecl) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 233]
25 0013fc48 004fbe53 00188cb8 00783e40 0013fc78 PackerTest!CWinThread::PreTranslateMessage+0×23 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 773]
26 0013fc58 004fbcaf 00188cb8 0013fc74 005356b5 PackerTest!AfxPreTranslateMessage+0×23 (FPO: [Non-Fpo]) (CONV: cdecl) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 252]
27 0013fc78 004fd11c 00783e40 0013fc90 004fbcff PackerTest!AfxInternalPumpMessage+0xdf (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 178]
28 0013fc84 004fbcff 00783e40 0013fcb8 0050fad5 PackerTest!CWinThread::PumpMessage+0xc (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 896]
29 0013fc90 0050fad5 00000000 00000000 0013fe18 PackerTest!AfxPumpMessage+0×1f (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 190]
2a 0013fcb8 00500f41 00000004 a3ca6051 0013feb0 PackerTest!CWnd::RunModalLoop+0×1d5 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4322]
2b 0013fd24 004ed19d a3ca63c9 00011970 7c9418f1 PackerTest!CDialog::DoModal+0×1e1 (FPO: [Non-Fpo]) (CONV: thiscall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 587]
2c 0013febc 00685c52 00000000 00188e40 0013fedc PackerTest!CPackerTestApp::InitInstance+0xad (FPO: [Non-Fpo]) (CONV: thiscall) [e:\per\packertest\packertest\packertest.cpp @ 63]
2d 0013fee0 00685b48 00400000 00000000 00020914 PackerTest!AfxWinMain+0×82 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp @ 37]
2e 0013fef8 006126ef 00400000 00000000 00020914 PackerTest!wWinMain+0×18 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp @ 33]
2f 0013ffb8 0061242d 0013fff0 7c816fd7 00011970 PackerTest!__tmainCRTStartup+0×2af (FPO: [Non-Fpo]) (CONV: cdecl) [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324]
30 0013ffc0 7c816fd7 00011970 7c9418f1 7ffdb000 PackerTest!wWinMainCRTStartup+0xd (FPO: [Non-Fpo]) (CONV: cdecl) [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 196]
31 0013fff0 00000000 004da8d5 00000000 78746341 kernel32!BaseProcessStart+0×23 (FPO: [Non-Fpo])

일단 꽤 큰 Call Stack을 만들어 봤습니다.  ( 사실 이 정도는 큰게 아닙니다. ..  MFC를 사용하면 쉽게 만들어지는 … )  맨아랫줄만 보면 kernel32!BaseProcessStart 의 EBP는 0013fff0 이고 PackerTest!wWinMainCRTStartup의 EBP는 0013ffc0 return Address는 7c816fd7  입니다. 그럼 Raw Stack 상에는 어떻게 나타날까 ?? 

0013ff9c 00000005
0013ffa0 0013ff10
0013ffa4 000009e9
0013ffa8 0013ffe0
0013ffac 004de5a7 PackerTest!ILT+34210(__except_handler4)
0013ffb0 a3ae243d
0013ffb4 00000001
0013ffb8 0013ffc0
0013ffbc 0061242d PackerTest!wWinMainCRTStartup+0xd [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 196]
0013ffc0 0013fff0
0013ffc4 7c816fd7 kernel32!BaseProcessStart+0×23
0013ffc8 00011970
0013ffcc 7c9418f1 ntdll!RtlDeleteCriticalSection+0×72
0013ffd0 7ffdb000
0013ffd4 805522fa
0013ffd8 0013ffc8
0013ffdc 85e23790
0013ffe0 ffffffff
0013ffe4 7c839aa8 kernel32!_except_handler3
0013ffe8 7c816fe0 kernel32!`string’+0×98
0013ffec 00000000
0013fff0 00000000
0013fff4 00000000
0013fff8 004da8d5 PackerTest!ILT+18640(_wWinMainCRTStartup)
0013fffc 00000000
00140000 78746341

EBP에는 Child EBP가 EBP+4에는 Return Address가 있다는걸 명심하시기 바랍니다.  Application의 경우 Raw Stack Trace는 BaseProcessStart를 찾는것 부터 시작합니다.  0013ffc4  7c816fd7 kernel32!BaseProcessStart+0×23 이 부분을 보면 Return Address를 표시한 부분이죠. EBP-4위치가 바로 kernel32!BaseProcessStart+0×23  부근에서 Call 되어진 Function의 EBP 가 됩니다. 0013ffc0  0013fff0 부분이 그것이죠 0013ffc0은 kernel32!BaseProcessStart+0×23 부근에서 Call 되어진 Function의 EBP이고  0013fff0는 kernel32!BaseProcessStart의 EBP가 되겠죠. 그럼 다음 Function의 Stack을 찾기 위해서는 0013ffc0를 값으로 가지고 있는 부분을 검색해 내면 ( 검색된 부분 + 4 ) Address에 다시 Return Address가 존재 하게 됩니다.

0013ffb8 0013ffc0
0013ffbc 0061242d PackerTest!wWinMainCRTStartup+0xd [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 196]

바로 이 부분이 그 부분이 됩니다.  0013ffc0 값이 0013ffb8 Address에 저장되어 있군요. 다시 말해 PackerTest!wWinMainCRTStartup+0xd 부근에서 Call 되어진 Function의 EBP는  0013ffb8 가 되는거죠. 다시 같은 방법으로 0013ffb8를 검색하면 다음 EBP를 구해 낼수 있게 됩니다.  이런식으로 Stack Trace를 하게되면 아래와 같은 부분 들을 찾을 수 있습니다.

0013ef4c 0013ef74
0013ef50 77d0593f USER32!InternalDialogBox+0xd0
0013ef54 00060156
0013ef58 00000000
0013ef5c 00000001
0013ef60 00000000
... 너무 많아서 생략
0013fc78 0013fc84
0013fc7c 004fd11c PackerTest!CWinThread::PumpMessage+0xc [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 896]

0013fc84 0013fc90
0013fc88 004fbcff PackerTest!AfxPumpMessage+0×1f [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 190]

0013fc90 0013fcb8
0013fc94 0050fad5 PackerTest!CWnd::RunModalLoop+0×1d5 [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4322]

0013fcb8 0013fd24
0013fcbc 00500f41 PackerTest!CDialog::DoModal+0×1e1 [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 587]

0013fd24 0013febc
0013fd28 004ed19d PackerTest!CPackerTestApp::InitInstance+0xad [e:\per\packertest\packertest\packertest.cpp @ 63]

0013febc 0013fee0
0013fec0 00685c52 PackerTest!AfxWinMain+0×82 [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp @ 37]

0013fee0 0013fef8
0013fee4 00685b48 PackerTest!wWinMain+0×18 [f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp @ 33]
0013fee8 00400000 PackerTest!_enc$textbss$begin <PERF> (PackerTest+0×0)
0013feec 00000000
0013fef0 00020914
0013fef4 0000000a
0013fef8 0013ffb8
0013fefc 006126ef PackerTest!__tmainCRTStartup+0×2af [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324]

0013ffb8 0013ffc0
0013ffbc 0061242d PackerTest!wWinMainCRTStartup+0xd [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 196]
0013ffc0 0013fff0
0013ffc4 7c816fd7 kernel32!BaseProcessStart+0×23

이렇게 검색된 Raw Stack의 최상위 EBP를 이용하여 Stack을 재구성해 보면

0:000> K L=0013ef4c 50
ChildEBP RetAddr
0013ef14 77cf9418 ntdll!KiFastSystemCallRet
0013ef4c 77d0593f USER32!NtUserWaitMessage+0xc
0013ef74 77d1a91e USER32!InternalDialogBox+0xd0
0013f234 77d1a284 USER32!SoftModalMessageBox+0×938
0013f384 77d461d3 USER32!MessageBoxWorker+0×2ba
0013f3dc 77d305f3 USER32!MessageBoxTimeoutW+0×7a
0013f3fc 77d4634f USER32!MessageBoxExW+0×1b
0013f418 004edc49 USER32!MessageBoxW+0×45
0013f508 004f9fb0 PackerTest!CPackerTestDlg::OnBnClickedOk+0×39
0013f54c 004fa6ef PackerTest!_AfxDispatchCmdMsg+0xb0
0013f5b0 004fff21 PackerTest!CCmdTarget::OnCmdMsg+0×2df
0013f5ec 0050b20d PackerTest!CDialog::OnCmdMsg+0×21
0013f650 0050a197 PackerTest!CWnd::OnCommand+0×16d
0013f788 0050a0f0 PackerTest!CWnd::OnWndMsg+0×77
0013f7a8 005075ee PackerTest!CWnd::WindowProc+0×30
0013f824 00507af4 PackerTest!AfxCallWndProc+0xee
0013f844 77cf8734 PackerTest!AfxWndProc+0xa4
0013f870 77cf8816 USER32!InternalCallWinProc+0×28
0013f8d8 77cfb4c0 USER32!UserCallWinProcCheckWow+0×150
0013f92c 77cfb50c USER32!DispatchClientMessage+0xa3
0013f954 7c93eae3 USER32!__fnDWORD+0×24
0013f978 77cf94be ntdll!KiUserCallbackDispatcher+0×13
0013f9b4 77cfb903 USER32!NtUserMessageCall+0xc
0013f9d4 77187344 USER32!SendMessageW+0×7f
0013f9f4 77187426 COMCTL32!Button_NotifyParent+0×3d
0013fa10 7718972b COMCTL32!Button_ReleaseCapture+0xd7
0013faa0 77cf8734 COMCTL32!Button_WndProc+0×887
0013facc 77cf8816 USER32!InternalCallWinProc+0×28
0013fb34 77cf89cd USER32!UserCallWinProcCheckWow+0×150
0013fb94 77cf8a10 USER32!DispatchMessageWorker+0×306
0013fba4 77d0d99d USER32!DispatchMessageW+0xf
0013fbc8 0051f4e1 USER32!IsDialogMessageW+0×572
0013fbe0 0050f8ec PackerTest!CWnd::IsDialogMessageW+0×71
0013fbf0 004ffeed PackerTest!CWnd::PreTranslateInput+0×6c
0013fc08 0050c36b PackerTest!CDialog::PreTranslateMessage+0xed
0013fc1c 004fbddd PackerTest!CWnd::WalkPreTranslateTree+0×8b
0013fc38 004fcdc3 PackerTest!AfxInternalPreTranslateMessage+0×4d
0013fc48 004fbe53 PackerTest!CWinThread::PreTranslateMessage+0×23
0013fc58 004fbcaf PackerTest!AfxPreTranslateMessage+0×23
0013fc78 004fd11c PackerTest!AfxInternalPumpMessage+0xdf
0013fc84 004fbcff PackerTest!CWinThread::PumpMessage+0xc
0013fc90 0050fad5 PackerTest!AfxPumpMessage+0×1f
0013fcb8 00500f41 PackerTest!CWnd::RunModalLoop+0×1d5
0013fd24 004ed19d PackerTest!CDialog::DoModal+0×1e1
0013febc 00685c52 PackerTest!CPackerTestApp::InitInstance+0xad
0013fee0 00685b48 PackerTest!AfxWinMain+0×82
0013fef8 006126ef PackerTest!wWinMain+0×18
0013ffb8 0061242d PackerTest!__tmainCRTStartup+0×2af
0013ffc0 7c816fd7 PackerTest!wWinMainCRTStartup+0xd
0013fff0 00000000 kernel32!BaseProcessStart+0×23

멋지게 Stack을 볼수 있게 되죠 .. 그 외에 간단한 Tip이라면 EBP+8위치에는 첫번째 Parameter가 오고 EBP-4위치에는 첫번째 Local Value가 들어갑니다.