I'm trying to read the unwind data of some dlls (in this case: ntdll.dll).
I noticed that in some cases I read the data jsut fine, but in other cases I see "garbage".
I used dumpbin to look at the unwind data in the dll and I noticed that when I read "garbage" - dumbin can't read it either.
This is what I see with dumpbin:
00006EF4 000442AF 000442C3 0014265D
00006F00 000442C3 000442CD 00142669
00006F0C 000442CD 000442D9 001444D5
00006F18 000442D9 000442FD 00147E95
00006F24 000442FD 00044376 00144679
00006F30 00044376 000443D0 001448A1
00006F3C 000443D0 0004442C 001254B0
Unwind version: 1
Unwind flags: None
Size of prologue: 0x0A
Count of codes: 4
0A: ALLOC_LARGE, size=0x1A8
03: PUSH_NONVOL, register=rdi
02: PUSH_NONVOL, register=rsi
I also noticed that when I resolve an IP to a "garbaged" runtime function,SymFunctionTableAccess64 does something that couldn't find any documnetation of.
So my questions are:
1. Is this really a garbaged unwind info? If not, how can I read its content?
2. What does SymFunctionTableAccess64 do when it handles such "garbage"? Where can I find some documentation for it?
Edited by Idov, 27 April 2013 - 08:47 AM.