I need to obtain the addresses (absolute) of all functions that call the below function. Can this be done in Windbg ?
The function that I would like to find all callers of is KeBugCheckEx
lkd> uf nt!KeBugCheckEx
CodePudding user response:
That cannot be a realistic requirement
KeBugCheckEx is an exported Function as such it can be called by AnyOne who wants to call it
dumpbin /exports c:\Windows\System32\ntoskrnl.exe | findstr "KeBugCheckEx"
1114 442 003F8FA0 KeBugCheckEx
over and above as commented by Raymond chen indirect calls are not resolvable statically
still if you want to go ahead try this
this may scrap around 50% hopefully :)
0: kd> lm m nt
start end module name
fffff800`73800000 fffff800`74846000 nt (pdb symbols) f:\symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb
0: kd> .hh
0: kd> # KeBugCheckEx fffff800`73800000 L?(fffff800`74846000-fffff800`73800000)
*** WARNING: Unable to verify timestamp for volmgrx.sys
nt!ExAcquireFastMutexUnsafe 0x12f:
fffff800`73a0971f e87cf81e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!MiIdentifyPfn 0xd1b:
fffff800`73a0d94b e850b61e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireFastMutex 0x14a:
fffff800`73a0dbaa e8f1b31e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireCacheAwarePushLockSharedEx 0x14a:
fffff800`73a0df1a e881b01e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquirePushLockExclusiveEx 0x146:
fffff800`73a0e4b6 e8e5aa1e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquirePushLockSharedEx 0x13d:
fffff800`73a0e66d e82ea91e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExReleaseResourceLite 0x18d:
fffff800`73a0ef7d e81ea01e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireResourceExclusiveLite 0x2eb:
:>python -c print(len((open('callkebug.txt','r')).readlines())) 3224